Re: New worm? 'readme.eml'

From: Christopher X. Candreva (chrisat_private)
Date: Tue Sep 18 2001 - 08:46:48 PDT

Next message: thomas lakofski: "Possible new worm using directory traversal vulnerability?"

Previous message: VanMeter, John: "NIPC Advisory 01-021, "Potential DDoS Attacks""
In reply to: Pedro Miller Rabinovitch: "New worm? 'readme.eml'"
Next in thread: Tony Abedini: "Re: New worm? 'readme.eml'"
Next in thread: coopat_private: "Re: New worm? 'readme.eml'"
Reply: Tony Abedini: "Re: New worm? 'readme.eml'"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 18 Sep 2001, Pedro Miller Rabinovitch wrote:

> I've inspected the executable code, and it reads like a worm. (doh)
>
> Has anyone seen this?

I just got a readme.exe e-mail to me from a dsl.net IP address a few minutes
ago. Odd thing is it sends it's Content-type as audio/x-wav I've added the
following to filter it in procmail:

:0 B
* >50000
* <90000
* ^Content-Type: audio/x-wav;
* ^     name="readme.exe"
YourVirustrapHere


==========================================================
Chris Candreva  -- chrisat_private -- (914) 967-7816
WestNet Internet Services of Westchester
http://www.westnet.com/


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: thomas lakofski: "Possible new worm using directory traversal vulnerability?"
Previous message: VanMeter, John: "NIPC Advisory 01-021, "Potential DDoS Attacks""
In reply to: Pedro Miller Rabinovitch: "New worm? 'readme.eml'"
Next in thread: Tony Abedini: "Re: New worm? 'readme.eml'"
Next in thread: coopat_private: "Re: New worm? 'readme.eml'"
Reply: Tony Abedini: "Re: New worm? 'readme.eml'"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 09:00:53 PDT