Security Incidents mailing list archives

Re: New worm? 'readme.eml'

From: "Christopher X. Candreva" <chris () westnet com>
Date: Tue, 18 Sep 2001 11:46:48 -0400 (EDT)

On Tue, 18 Sep 2001, Pedro Miller Rabinovitch wrote:

I've inspected the executable code, and it reads like a worm. (doh)

Has anyone seen this?


I just got a readme.exe e-mail to me from a dsl.net IP address a few minutes
ago. Odd thing is it sends it's Content-type as audio/x-wav I've added the
following to filter it in procmail:

:0 B
* >50000
* <90000
* ^Content-Type: audio/x-wav;
* ^     name="readme.exe"
YourVirustrapHere


==========================================================
Chris Candreva  -- chris () westnet com -- (914) 967-7816
WestNet Internet Services of Westchester
http://www.westnet.com/


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

New worm? 'readme.eml' Pedro Miller Rabinovitch (Sep 18)
- Re: New worm? 'readme.eml' Christopher X. Candreva (Sep 18)
  - Re: New worm? 'readme.eml' Tony Abedini (Sep 18)
- <Possible follow-ups>
- Re: New worm? 'readme.eml' coop (Sep 18)
- RE: New worm? 'readme.eml' Mark Ng (Sep 18)