Security Incidents mailing list archives
Re: Romeo&Juliet (fwd)
From: Ryan Russell <ryan () SECURITYFOCUS COM>
Date: Fri, 17 Nov 2000 12:23:06 -0800
On Thu, 16 Nov 2000, [iso-8859-2] Micha? 'CeFeK' Nazarewicz wrote:
I've just received strange e-mail from the person living in my country, but one i've never written to. It looks very, very suspicious: message body looks corrupted (pine says it's encoded in qp, but contains non-hexadecimal characters). There are two attachments: one is of APPLICATION/X-MSWORD type, but it's extension is .EXE. The second one is of .CHM extension, I haven't looked at it yet. The subject of this e-mail os Romeo&Juliet... so this looks like
I looked at one of these yesterday. There was another individual who posted about it yesterday as well. It basically sends an HTML e-mail, with a bit of VBScript: <SCRIPT> window.showHelp("c:/windows/temp/proj1.chm"); </SCRIPT> Now, Outlook doesn't put attachments in the temp dir. You actually have to run the attachment (the version I have was dumbed-down to just run Wordpad.) However, I think some version of Eudora used to do that. In any case, I believe that this will be somewhat limited in how far it spreads... it still relies on people to click on it in most situations. Ryan
Current thread:
- Romeo&Juliet (fwd) MichaĆ 'CeFeK' Nazarewicz (Nov 18)
- Re: Romeo&Juliet (fwd) Ryan Russell (Nov 21)
- Re: Romeo&Juliet (fwd) Brad (Nov 21)
- Re: Romeo&Juliet (fwd) Antonio Carlos Pina (Nov 21)
- Re: Romeo&Juliet (fwd) Gary Flynn (Nov 21)
- <Possible follow-ups>
- Re: Romeo&Juliet (fwd) Fisher, Lee (Nov 21)
- Re: Romeo&Juliet (fwd) Brad (Nov 21)