More infectation routes:
The worm, upon infecting a new host, goes through all the
shared directories and their subdirecories and plants the
following files in each dir:
sample.nws
sample.eml
desktop.eml
desktop.nws
which are eml messages with copies of itself ("readme.exe")
autoloaded by a html script tag,
riched20.dll
which is a trojan dll version of itself probably designed
to infect people running notepad/wordpad in that dir.
It also infects htm/html/asp files all over the system with
a <SCRIPT> tag appendage that links to a readme.eml file in
the current directory, thus infecting more webservers and
even windows helpsystem and the IE "freindly" error messages.
The worm puts a trojan mmc.exe in the winnt directory that
is a copy of itself in the above "readme.exe" format.....
So in short: This thing spreads vi fileserver shares and
also infects all web content files it sees, it's EVIL.
/olle
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 09:54:46 PDT