Hi folks, Marius was kind enough to send me a copy of the original email, including attachments. I've always enjoyed analysing unknown and potentially malicious files like this - feel free to pass such things on to me. Yes, I did just say that ;-) Anyway, in short the email contained an early variant of the Efortune worm (W32.Efortune.28672@ mm) details of which can be found at http://www.symantec.com/avcenter/venc/data/w32.efortune.28672at_private - to precis from the writeup : "The W32.Efortune.28672@mm worm is an encrypted mass mailer with backdoor capabilities. It uses IRC to spread." The other attachment was fortune.zip which contained 2 files, cookie.exe and a file_id.diz that describes the file as : " FortuneCookie 32 - Version 1.0 * FREEWARE * DESCRIPTION: ============ FortuneCookie 32 is a Windows 32 version of the classical fortune cookies you can get at some restaurants. It's very simple double clicking on the cookie.exe file will bring up a fortune cookie. This program is freeware so feel free to send out a word of wisdom to your friends!" The cookie.exe [13/4/2001 16:15 28672 bytes] is actually another copy of the worm. Cheers. ----- Original Message ----- From: "Marius Huse Jacobsen" <mahujaat_private> [snip] > Exactly how bad is it? The offending line seems to be > <iframe src=3Dcid:THE-CID height=3D0 width=3D0></iframe> > > Html email was a curse to begin with and it hasn't become any better. > Can anyone give me that ascii ribbon sig? [snip]
This archive was generated by hypermail 2b30 : Wed Jul 25 2001 - 09:51:15 PDT