[Esd-l] Fw: New Virus/Worm email

Bill Larson blarson at compu.net
Tue Sep 18 10:13:01 PDT 2001


Are the audio attachments munged for executable attachments? If not we need a
patch ASAP!

----- Original Message -----
From: "Jim Seymour"
Newsgroups: spamcop.geeks
Sent: Tuesday, September 18, 2001 11:10 AM
Subject: New Virus/Worm Email


> I just received an interesting email.  It made it past my virus filters, but
a
> report on the NTBugTraq mailing list is reporting it as some kind of
unknown
> worm that attacks IIS machines.
>
> The message itself uses an attachment with a content type of audio/x-wav,
but
> with a name of "readme.exe".  I've got the security settings tightened down,
but
> even so, Outlook Express asked me whether I wanted to open the embedded
> attachment.
>
> Here is the email that I received (without the encoded attachment, of
course).
> Note the long Subject line and the HTML iframe that refers to local
content.
> Keep you eye on this one...
>
> --
> Jim Seymour
>
> -----------------------------------------------------------------------
>
> Received: from TGLNT (mail.tricongroup.com [206.206.91.131]) by
mail.cipher.com
>  with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13)
>  id SVNKL1PC; Tue, 18 Sep 2001 08:15:28 -0700
> From: <3dzvi51gehej at 4ax.com>
> Subject:
>
Xtoprecvranalyzerdiskstrreadmec2supprttablecoltoprecvraps32analyzerdefaultuse
rgr
> pcinforccidbutilappevent
> MIME-Version: 1.0
> Content-Type: multipart/related;
>  type="multipart/alternative";
>  boundary="====_ABC1234567890DEF_===="
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Unsent: 1
>
> --====_ABC1234567890DEF_====
> Content-Type: multipart/alternative;
>  boundary="====_ABC0987654321DEF_===="
>
> --====_ABC0987654321DEF_====
> Content-Type: text/html;
>  charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
>
>
> <HTML><HEAD></HEAD><BODY bgColor=3D#ffffff>
> <iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0>
> </iframe></BODY></HTML>
> --====_ABC0987654321DEF_====--
>
> --====_ABC1234567890DEF_====
> Content-Type: audio/x-wav;
>  name="readme.exe"
> Content-Transfer-Encoding: base64
> Content-ID: <EA4DMGBP9p>



More information about the esd-l mailing list