[thelist] virus and readme.eml

Ron Thigpen rthigpen at nc.rr.com
Wed Sep 19 13:41:07 CDT 2001


yes, readme.eml is a mulitpart-MIME formatted file that used by the worm 
  in one of many propagation methods.

infected webpages have been appended with a bit of javascript that will 
attempt to open a new browser window (offset by 6000 pixels vertically 
and horizontally from the upper left corner of your screen, so that you 
may not see this window) and load the file readme.eml into this new window.

this file takes advantage of a vulnerability in some unpatched versions 
of IE that allow it to execute code embedded in these multipart-MIME 
files.   one part of this multipart message is a base64 encoded file 
named readme.exe.  so, readme.eml is a transport vessel for readme.exe.

if you are running a vulnerable version of IE, you may see a cmd (DOS 
command) window pop up as the readme.exe file is executed.  once this 
occurs, that machine is infected.  infected machines will begin trying 
to propoagate the virus via file shares, web server infection (as 
above), network scanning for vulnerable web servers (similar to Code Red 
propagation), and by e-mail (similar to Melissa propagation).

if you are not running a vulnerable version of IE you may have been 
prompted to open, run or save this eml file.  the safest choice is to 
'Cancel', choosing none of these, though saving may be safe, as long you 
don't unencode the readme.exe portion and execute it.

--rt


Cayley Vos wrote:

> is it true that a readme.eml file is part of this nasty ADMIN virus
> spreading around?  I saw one embedded in a webpage, occuring as a popup
> 
> --
> 
> 
> Cayley Vos, Principal
> 
> 360.714.8395 office
> 360.223.7799 cell
> 
> http://NetPaths.net
> _______________________________
> web design  |  e-commerce  |  i-marketing
> 
> 
> 
> 
> ---------------------------------------
> For unsubscribe and other options, including
> the Tip Harvester and archive of TheList go to:
> http://lists.evolt.org Workers of the Web, evolt ! 
> 
> 







More information about the thelist mailing list