Re: A very dangerous mail...

["Nexus" <nexus () patrol i-way co uk>]

Hi folks,
            Marius was kind enough to send me a copy of the original email,
including attachments.   I've always enjoyed analysing unknown and
potentially malicious files like this - feel free to pass such things on to
me.   Yes, I did just say that ;-)
Anyway, in short the email contained an early variant of the Efortune worm
(W32.Efortune.28672@ mm) details of which can be found at
http://www.symantec.com/avcenter/venc/data/w32.efortune.28672 () mm html - to
precis from the writeup : "The W32.Efortune.28672@mm worm is an encrypted
mass mailer with backdoor capabilities. It uses IRC to spread."
The other attachment was fortune.zip which contained 2 files, cookie.exe and
a file_id.diz that describes the file as :

"                       FortuneCookie 32 - Version 1.0
                                * FREEWARE *

DESCRIPTION:
============

        FortuneCookie 32 is a Windows 32 version of the classical
fortune cookies you can get at some restaurants. It's very simple
double clicking on the cookie.exe file will bring up a fortune cookie.
        This program is freeware so feel free to send out a word of
wisdom to your friends!"

The cookie.exe [13/4/2001 16:15 28672 bytes] is actually another copy of the
worm.

Cheers.

----- Original Message -----
From: "Marius Huse Jacobsen" <mahuja () c2i net>
[snip]
> Exactly how bad is it? The offending line seems to be
> <iframe src=3Dcid:THE-CID height=3D0 width=3D0></iframe>
>
> Html email was a curse to begin with and it hasn't become any better.
> Can anyone give me that ascii ribbon sig?
[snip]