"Eric D. Williams" wrote : > I suspect this worm alters extensions as > well, I am sure (and hope) someone will post a dissection of this worm to the > list after they receive a full copy. No dissecation , sorry :) Just a few notes : - the extensions I have seen are .pif, .bat, .com, .exe, .lnk - the worm wraps a document from the MyDocuments folder in a file containing the executable virus and send it to emails adresses found in *.wab (windows adresses books) and Temporary Internet Files - title of the mail = filename without extensions - how to detect/reject it the mail server (Postfix only ): /^Content-Disposition: Multipart message/i REJECT - how to extract the "stolen" file : dd if=file.xls.bat bs=512 skip=268 of=file.xls Nicob
This archive was generated by hypermail 2b30 : Wed Jul 25 2001 - 11:03:15 PDT