[thelist] virus and readme.eml
Ron Thigpen
rthigpen at nc.rr.com
Wed Sep 19 13:41:07 CDT 2001
yes, readme.eml is a mulitpart-MIME formatted file that used by the worm
in one of many propagation methods.
infected webpages have been appended with a bit of javascript that will
attempt to open a new browser window (offset by 6000 pixels vertically
and horizontally from the upper left corner of your screen, so that you
may not see this window) and load the file readme.eml into this new window.
this file takes advantage of a vulnerability in some unpatched versions
of IE that allow it to execute code embedded in these multipart-MIME
files. one part of this multipart message is a base64 encoded file
named readme.exe. so, readme.eml is a transport vessel for readme.exe.
if you are running a vulnerable version of IE, you may see a cmd (DOS
command) window pop up as the readme.exe file is executed. once this
occurs, that machine is infected. infected machines will begin trying
to propoagate the virus via file shares, web server infection (as
above), network scanning for vulnerable web servers (similar to Code Red
propagation), and by e-mail (similar to Melissa propagation).
if you are not running a vulnerable version of IE you may have been
prompted to open, run or save this eml file. the safest choice is to
'Cancel', choosing none of these, though saving may be safe, as long you
don't unencode the readme.exe portion and execute it.
--rt
Cayley Vos wrote:
> is it true that a readme.eml file is part of this nasty ADMIN virus
> spreading around? I saw one embedded in a webpage, occuring as a popup
>
> --
>
>
> Cayley Vos, Principal
>
> 360.714.8395 office
> 360.223.7799 cell
>
> http://NetPaths.net
> _______________________________
> web design | e-commerce | i-marketing
>
>
>
>
> ---------------------------------------
> For unsubscribe and other options, including
> the Tip Harvester and archive of TheList go to:
> http://lists.evolt.org Workers of the Web, evolt !
>
>
More information about the thelist
mailing list