Re: Romeo&Juliet (fwd)

[Ryan Russell <ryan () SECURITYFOCUS COM>]

On Thu, 16 Nov 2000, [iso-8859-2] Micha? 'CeFeK' Nazarewicz wrote:
>       I've just received strange e-mail from the person living in my
> country, but one i've never written to. It looks very, very suspicious:
> message body looks corrupted (pine says it's encoded in qp, but contains
> non-hexadecimal characters). There are two attachments: one is of
> APPLICATION/X-MSWORD type, but it's extension is .EXE. The second one is
> of .CHM extension, I haven't looked at it yet.
>       The subject of this e-mail os Romeo&Juliet... so this looks like

I looked at one of these yesterday.  There was another individual who
posted about it yesterday as well.  It basically sends an HTML e-mail,
with a bit of VBScript:

<SCRIPT>
 window.showHelp("c:/windows/temp/proj1.chm");
</SCRIPT>

Now, Outlook doesn't put attachments in the temp dir.  You actually have
to run the attachment (the version I have was dumbed-down to just run
Wordpad.)  However, I think some version of Eudora used to do that.  

In any case, I believe that this will be somewhat limited in how far it
spreads... it still relies on people to click on it in most situations.

                                        Ryan