This morning I received an e-mail with the subject line "elvis presley - amazing grace" from asportalat_private and containing an attachment named read.exe. I am suspecting this could be related. Brian Pomeroy e-Transformation/e-Medicine Center The Children's Hospital of Philadelphia Philadelphia, PA USA http://www.chop.edu/ pomeroyat_private || lunarat_private ----- Original Message ----- From: "Olle Segerdahl" <olleat_private> To: <bugtraqat_private>; <incidentsat_private> Sent: Tuesday, September 18, 2001 11:58 AM Subject: Concept Virus(CV) V.5 - Quick analysis update > > More infectation routes: > > The worm, upon infecting a new host, goes through all the > shared directories and their subdirecories and plants the > following files in each dir: > > sample.nws > sample.eml > desktop.eml > desktop.nws > > which are eml messages with copies of itself ("readme.exe") > autoloaded by a html script tag, > > riched20.dll > > which is a trojan dll version of itself probably designed > to infect people running notepad/wordpad in that dir. > > > It also infects htm/html/asp files all over the system with > a <SCRIPT> tag appendage that links to a readme.eml file in > the current directory, thus infecting more webservers and > even windows helpsystem and the IE "freindly" error messages. > > The worm puts a trojan mmc.exe in the winnt directory that > is a copy of itself in the above "readme.exe" format..... > > So in short: This thing spreads vi fileserver shares and > also infects all web content files it sees, it's EVIL. > > /olle > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 14:21:02 PDT