Vulnerability Development mailing list archives
Re: A very dangerous mail...
From: "Nexus" <nexus () patrol i-way co uk>
Date: Wed, 25 Jul 2001 14:04:43 +0100
Hi folks, Marius was kind enough to send me a copy of the original email, including attachments. I've always enjoyed analysing unknown and potentially malicious files like this - feel free to pass such things on to me. Yes, I did just say that ;-) Anyway, in short the email contained an early variant of the Efortune worm (W32.Efortune.28672@ mm) details of which can be found at http://www.symantec.com/avcenter/venc/data/w32.efortune.28672 () mm html - to precis from the writeup : "The W32.Efortune.28672@mm worm is an encrypted mass mailer with backdoor capabilities. It uses IRC to spread." The other attachment was fortune.zip which contained 2 files, cookie.exe and a file_id.diz that describes the file as : " FortuneCookie 32 - Version 1.0 * FREEWARE * DESCRIPTION: ============ FortuneCookie 32 is a Windows 32 version of the classical fortune cookies you can get at some restaurants. It's very simple double clicking on the cookie.exe file will bring up a fortune cookie. This program is freeware so feel free to send out a word of wisdom to your friends!" The cookie.exe [13/4/2001 16:15 28672 bytes] is actually another copy of the worm. Cheers. ----- Original Message ----- From: "Marius Huse Jacobsen" <mahuja () c2i net> [snip]
Exactly how bad is it? The offending line seems to be <iframe src=3Dcid:THE-CID height=3D0 width=3D0></iframe> Html email was a curse to begin with and it hasn't become any better. Can anyone give me that ascii ribbon sig?
[snip]
Current thread:
- A very dangerous mail... Marius Huse Jacobsen (Jul 20)
- Re: A very dangerous mail... Nexus (Jul 25)
- <Possible follow-ups>
- RE: A very dangerous mail... Aidan O'Kelly (Jul 23)