Hi folks,
Marius was kind enough to send me a copy of the original email,
including attachments. I've always enjoyed analysing unknown and
potentially malicious files like this - feel free to pass such things on to
me. Yes, I did just say that ;-)
Anyway, in short the email contained an early variant of the Efortune worm
(W32.Efortune.28672@ mm) details of which can be found at
http://www.symantec.com/avcenter/venc/data/w32.efortune.28672at_private - to
precis from the writeup : "The W32.Efortune.28672@mm worm is an encrypted
mass mailer with backdoor capabilities. It uses IRC to spread."
The other attachment was fortune.zip which contained 2 files, cookie.exe and
a file_id.diz that describes the file as :
" FortuneCookie 32 - Version 1.0
* FREEWARE *
DESCRIPTION:
============
FortuneCookie 32 is a Windows 32 version of the classical
fortune cookies you can get at some restaurants. It's very simple
double clicking on the cookie.exe file will bring up a fortune cookie.
This program is freeware so feel free to send out a word of
wisdom to your friends!"
The cookie.exe [13/4/2001 16:15 28672 bytes] is actually another copy of the
worm.
Cheers.
----- Original Message -----
From: "Marius Huse Jacobsen" <mahujaat_private>
[snip]
> Exactly how bad is it? The offending line seems to be
> <iframe src=3Dcid:THE-CID height=3D0 width=3D0></iframe>
>
> Html email was a curse to begin with and it hasn't become any better.
> Can anyone give me that ascii ribbon sig?
[snip]
This archive was generated by hypermail 2b30 : Wed Jul 25 2001 - 09:51:15 PDT