More infectation routes: The worm, upon infecting a new host, goes through all the shared directories and their subdirecories and plants the following files in each dir: sample.nws sample.eml desktop.eml desktop.nws which are eml messages with copies of itself ("readme.exe") autoloaded by a html script tag, riched20.dll which is a trojan dll version of itself probably designed to infect people running notepad/wordpad in that dir. It also infects htm/html/asp files all over the system with a <SCRIPT> tag appendage that links to a readme.eml file in the current directory, thus infecting more webservers and even windows helpsystem and the IE "freindly" error messages. The worm puts a trojan mmc.exe in the winnt directory that is a copy of itself in the above "readme.exe" format..... So in short: This thing spreads vi fileserver shares and also infects all web content files it sees, it's EVIL. /olle ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 09:54:46 PDT