Michele,
Here is the virus analysis from SOPHOS, it mentions the readme.eml.
Tom Buoniello
Sybari
*** Virus Alert! ***
Name: W32/Nimda-A
Aliases: W32.Nimda.A@mm, Code Rainbow, Minda
Type: W32 executable file virus
Date: 18 September 2001
A virus identity file (IDE) which provides protection is available now from
our website and will be incorporated into the November 2001 (3.51) release
of Sophos Anti-Virus.
Sophos has received many reports of this virus from the wild.
Please note: The IDE has been updated on 18 September at 19:45 BST to
improve detection of this virus.
Description:
W32/Nimda-A is a Windows 32 virus which spreads via email, network shares
and websites.
Affected emails have an attached file called README.EXE. The virus attempts
to exploit a MIME Vulnerability in some versions of Microsoft Outlook,
Microsoft Outlook Express, and Internet Explorer to allow the executable
file to run automatically without the user double-clicking on the
attachment.
The virus copies itself into the Windows directory with the filenames
load.exe and riched20.dll (both have their file attributes set to "hidden"),
and attempts to spread itself to other users via network shares.
The virus alters the System.ini file to include the line
shell=explorer.exe load.exe -dontrunold
so that it executes on Windows startup.
The virus forwards itself to other email addresses found on the computer.
Furthermore, the virus looks for IIS web servers suffering from the Unicode
Directory Traversal vulnerability. It attempts to alter the contents of
pages on such servers, hunting for the following filenames:
index.html
index.htm
index.asp
readme.html
readme.htm
readme.asp
main.html
main.htm
main.asp
default.html
default.htm
default.asp
If it finds one of the above files on the web server the virus attempts to
alter the contents of the file, adding a section of malicious Javascript
code to the end of the file.
If the website is then browsed by a user with an insecure version of
Internet Explorer, the malicious code automatically downloads a file called
readme.eml onto the user's computer - which is then executed, forwarding the
virus once more.
The virus contains the following text: "Copyright 2001 R.P.China".
-----Original Message-----
From: [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 3:47 PM
To: Exchange Discussions
Subject: RE: New Virus / Worm ??
you got a link for where they're mentioned? I looked at nai.com and at
sybari.com & sophos.com and can't find anything about them.
maybe i'm just blind.
-Mich�le
Immigration site: <http://LadySun1969.tripod.com>
Our new 2001 Miata: <http://members.cardomain.com/bpituley>
Tiggercam: <http://www.tiggercam.co.uk>
---------------------------------------------------------
"Pinky, are you pondering what I'm pondering?" "Well, I think so Brain, but
what if we stick to the seat covers?"
---------------------------------------------------------
-----Original Message-----
From: Durkee, Peter [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 3:42 PM
To: Exchange Discussions
Subject: RE: New Virus / Worm ??
They are mentioned in the NAI website. I've also seen mention of WAV and COM
files.
-Peter
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 12:37
To: Exchange Discussions
Subject: RE: New Virus / Worm ??
has anybody seen anything Official about the .eml files? I've just heard
anecdotal evidence about them.
-Mich�le
Immigration site: <http://LadySun1969.tripod.com>
Our new 2001 Miata: <http://members.cardomain.com/bpituley>
Tiggercam: <http://www.tiggercam.co.uk>
---------------------------------------------------------
Why do they put pictures of criminals up in the Post Office? What are we
supposed to do . . . write to these men? Why don't they just put their
pictures on the postage stamps so the mailmen could look for them while they
delivered the mail?
---------------------------------------------------------
-----Original Message-----
From: Daniel Deward [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 3:37 PM
To: Exchange Discussions
Subject: RE: New Virus / Worm ??
If you block EXE's there is no need to wait for updates. For more
information, visit http://www.cmsconnect.com
Dan
-----Original Message-----
From: Pfefferkorn, Pete (PFEFFEPE) [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 3:16 PM
To: Exchange Discussions
Subject: RE: New Virus / Worm ??
Yes, NAI released an extra.dat Still waiting for trend to put out an
update.
Pete Pfefferkorn
Senior Systems Engineer/Mail Administrator
University of Cincinnati
51 Goodman Street
Cincinnati, OH 45221
Phone - (513) 556-9076
Fax - (513) 556-2042
-----Original Message-----
From: Etts, Russell [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 2:51 PM
To: Exchange Discussions
Subject: RE: New Virus / Worm ??
Does anyone have any more info on this??
Does NAI have an update? I can't get through to them.
Thanks
Russell
-----Original Message-----
From: John Bricher [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 12:33 PM
To: Exchange Discussions
Subject: RE: New Virus / Worm ??
On the servers that were infected at our company, we found a mmc.exe that
was running in c:\winnt. This appeared to be regenerating the readme.eml
files. We killed the process, deleted the file, and deleted the .eml files.
This appears to have worked for now.
Not sure how to stop it from happening again.
John Bricher
Windows NT Engineer
Cybear, Inc.
561-999-3549
[EMAIL PROTECTED]
_________________________________________________________________
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin: [EMAIL PROTECTED]
_________________________________________________________________
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin: [EMAIL PROTECTED]
_________________________________________________________________
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin: [EMAIL PROTECTED]
_________________________________________________________________
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin: [EMAIL PROTECTED]
_________________________________________________________________
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin: [EMAIL PROTECTED]
______________________________________________
This message is private or privileged. If you are not the person for whom
this message is intended, please delete it and notify me immediately, and
please do not copy or send this message to anyone else.
_________________________________________________________________
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin: [EMAIL PROTECTED]
_________________________________________________________________
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin: [EMAIL PROTECTED]
_________________________________________________________________
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin: [EMAIL PROTECTED]
