Readme.exe, Eudora, and Opera (was Re: [thelist] failure notice (& CF TIP))

Shirley Kaiser, SKDesigns skaiser1 at skdesigns.com
Wed Sep 19 12:51:55 CDT 2001 

Speaking of the Readme.exe file:

I do NOT use Outlook, I use Opera 5.12 as my primary browser, and I don't 
have NT server or IIS server installed on my hard drive. They came in to my 
computer without my knowledge in the least. (I'm on a PC with Win98)

My ISP's server got nailed yesterday morning with the Nimda virus, and I 
also ended up having 5 copies of the Readme.exe file in my Eudora files in 
the Embedded folder, NOT the attachments folder where virus attachments to 
email would go:

Qualcomm\Eudora\Embedded\Readme.exe

And since I received it several times, Eudora changed the name 
automatically, so there was:
Readme.exe
Readme1.exe
Readme2.exe
Readme3.exe
Readme4.exe

The same files were also in the backup files that I've set Eudora to 
automatically make.

When one of my colleagues found the virus (unknowingly at that point) at 
one of my sites yesterday morning (the popup window came up with the weird 
message), he told me about this weird popup window and why was I doing 
that..... so I went to my site with Opera and checked it out, at that point 
neither of us knowing why I had this weird popup window. Fortunately he 
found out why within minutes and emailed me information, and then I called 
my ISP about it. (Thanks to Charles Johnson of 
http://www.littlegreenfootballs.com/ for happening to visit my site and 
find it and let me know yesterday....)

After that Opera kept crashing and I couldn't open it with my usual "Open 
with previously saved windows".... and Opera never crashes on me. So I knew 
something was up. So I opened it with no windows and immediately deleted my 
cache and my history. Then it worked fine.

That's when I also wondered if anything was on my computer anywhere else, 
ran the Readme.exe search and found those files in the Embedded folder in 
Eudora. I'd already looked in the Attachments folder (the usual spot for 
virii) and didn't find anything. This was before the virus updates were 
available.

Needless to say, I also ran a complete scan of my entire computer after I 
downloaded the latest virus software update yesterday afternoon.

So even if you don't think you have any problems, I'd still suggest running 
a search on your computer and making sure you don't have any of the problem 
files residing in it. The problem files may just sit there not do anything, 
as mine hadn't yet, but I also didn't open that Readme.exe file either (and 
I wouldn't have, either).

So that's my story. ;-) Hope it helps someone else.

Warmly,
Shirley
--
Shirley E. Kaiser, M.A.
SKDesigns  mailto:skaiser1 at skdesigns.com
Website Development  http://www.skdesigns.com/
Pianist, Composer  http://www.shirleykaiser.com/
Moderator, I-Design http://www.adventive.com/lists/idesign/summary.html

At 07:05 AM 09/19/2001, you wrote:
>One more tip while people are tossing them about about virii and windows..
>
>Search your IIS server for a file called root.exe and delete it - if you 
>have it you've been compromised. *NO* patches from MS delete this file.
>
>Ironically, I blogged this last week:
>root.exe allows anyone on the internet to have commands on the machine 
>executed with web server privileges, and can typically be used to set up 
>logging of credit card information and other sensitive data on SSL 
>servers. This has created a new class of ecommerce site which has been 
>correctly patched for known server vulnerabilities, but have a live 
>backdoor facility enabling attackers to continue to remain in control of 
>the machine.
>
>typcially you'll find the file in the inetpub/scripts directory. I had 
>four clients yesterday who had their machines 100% patched, but were still 
>being controlled through the root.exe file. whats more scary is 13% of 
>*SSL* IIS websites on the internet have the root.exe exploit installed on 
>them according to Netcraft..
>
>.djc.
>
>Richard H. Morris wrote:
>
>>John Handelaar [genghis at members.evolt.org] wrote:
>>
>>>-----Original Message-----
>>>Utterly unhelpful.  Way to go, Richard.
>>>
>>>The answer:
>>>
>>>1       Look for all instances of README.EXE on your local
>>>         disks and delete them
>>>
>>>2       Search the registry for 'macrosoft' and remove the
>>>         keys
>>>
>>>3       Uninstall IIS and Windows Scripting Server on your
>>>         desktop machine
>>>
>>>4       Disable 'active scripting' in IE at all 4 security
>>>         settings.  Better still, get Mozilla 0.9.4 instead
>>>         'cos it's (believe it or not) more robust and doesn't
>>>         suffer from the security bug which enables one
>>>         of this worm's 6 or 7 methods of propagation.
>>Re: 4, just get a Mac and don't worry about Wintel executables? Just as
>>helpful advice...

More information about the thelist mailing list