Just wiped this virus off 25 machines today. None of them ran media player,
all ran Outlook Express.
Mike
----- Original Message -----
From: "Dean Cunningham" <[EMAIL PROTECTED]>
To: "NT System Admin Issues" <[EMAIL PROTECTED]>
Sent: Wednesday, September 19, 2001 8:21 PM
Subject: RE: serious network down...readme.eml??
> the browser is tricked into thinking it is a sound file (by the mime type)
> so it runs it automatically, unfortunately the actual executable run ie OE
> cause that is what the file type is set to.
>
> -----Original Message-----
> From: TDI Custom Computers [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, 20 September 2001 1:00 p.m.
> To: NT System Admin Issues
> Subject: Fw: serious network down...readme.eml??
>
>
>
>
>
> > .eml is the file format, if you save an email in Outlook Express.
> > Mike
> >
> > ----- Original Message -----
> > From: "Miley, Dan" <[EMAIL PROTECTED]>
> > To: "NT System Admin Issues" <[EMAIL PROTECTED]>
> > Sent: Tuesday, September 18, 2001 2:10 PM
> > Subject: RE: serious network down...readme.eml??
> >
> >
> > > .eml is a sound file type. if there's a sound embedded in a web page,
> it
> > > executes. (at least in IE.
> > >
> > > isn't that special.
> > >
> > > Dan
> > >
> > > -----Original Message-----
> > > From: Adam Meixler [mailto:[EMAIL PROTECTED]]
> > > Sent: Tuesday, September 18, 2001 2:36 PM
> > > To: NT System Admin Issues
> > > Subject: RE: serious network down...readme.eml??
> > >
> > >
> > > If it's like the one I've seen, it's an HTML mail that gets opened by
> > > something like Outlook Express. The HTML mail has an attachment which
it
> > > calls from an iframe. The attachment is actually the exe which does
the
> > > infection. Here's the source of the eml, with the EXE (EA4DMGBP9p)
taken
> > > out:
> > >
> > > MIME-Version: 1.0
> > > Content-Type: multipart/related;
> > > type="multipart/alternative";
> > > boundary="====_ABC1234567890DEF_===="
> > > X-Priority: 3
> > > X-MSMail-Priority: Normal
> > > X-Unsent: 1
> > >
> > > --====_ABC1234567890DEF_====
> > > Content-Type: multipart/alternative;
> > > boundary="====_ABC0987654321DEF_===="
> > >
> > > --====_ABC0987654321DEF_====
> > > Content-Type: text/html;
> > > charset="iso-8859-1"
> > > Content-Transfer-Encoding: quoted-printable
> > >
> > >
> > > <HTML><HEAD></HEAD><BODY bgColor=3D#ffffff>
> > > <iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0>
> > > </iframe>
> > > http://www.sunbelt-software.com/ntsysadmin_list_charter.htm<BR>
> > >
> > >
> > > http://www.sunbelt-software.com/ntsysadmin_list_charter.htm<BR>
> > >
> > >
> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm<BR>
>
>
> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm<BR>
>
>
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm<BR>
</BODY></HTML>
> > > --====_ABC0987654321DEF_====--
> > >
> > > --====_ABC1234567890DEF_====
> > > Content-Type: audio/x-wav;
> > > name="readme.exe"
> > > Content-Transfer-Encoding: base64
> > > Content-ID: <EA4DMGBP9p>
> > >
> > >
> > > --====_ABC1234567890DEF_====
> > >
> > > -----Original Message-----
> > > From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
> > > Sent: Tuesday, September 18, 2001 1:24 PM
> > > To: NT System Admin Issues
> > > Subject: RE: serious network down...readme.eml??
> > >
> > >
> > > Stupid Ev Question #327: eml files can be executed?
> > >
> > > Thanks,
> > >
> > > Evan
> > >
> > > -----Original Message-----
> > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> > > Sent: Tuesday, September 18, 2001 1:05 PM
> > > To: NT System Admin Issues
> > > Subject: RE: serious network down...readme.eml??
> > >
> > > 1 Unplug servers form network.
> > > 2 use ERD to recover.
> > > 3 send users home.
> > > 4 clean clients.
> > > -----Original Message-----
> > > From: Terry Manolakos [mailto:[EMAIL PROTECTED]]
> > > Sent: Tuesday, September 18, 2001 12:21 PM
> > > To: NT System Admin Issues
> > > Subject: serious network down...readme.eml??
> > > My network is slammed with some uknown virus of some sort.....Both my
NT
> > 4.0
> > > servers running MS-Exchange 6.5 have about 2300 alien files which were
> > > deleted....a "readme.eml" is being executed by all users somehow
> > > automtically and its infecting all my NT domain. I can not
> > Ctrl+Alt+Delete
> > > to log into any of the servers.....the display shows "initialization
of
> > the
> > > dynamic link library C:\WINNT\system32\USER32.dll failed. The process
is
> > > terminating abnormally" OKaying this results in no effects....all
> servers
> > > have this displayed onscreen. For the ones that have admin already
> logged
> > > in, Services (control panel, settings) can not be accessed! "access
to
> > the
> > > specified device, path, or file is denied"....it seems this virus has
> > locked
> > > onto this element. PDC is running Exchange (I know, never put'em
> > > together...but we're still cleaning up after previous SysAdmins here),
> and
> > > this has gone bezerk as well, with the same message onscreen.
> > > Norton/Symantec doesn't recognize "readme.eml"....who out there can
> shine
> > a
> > > flashlite in this dark mess? thanks in advance.
> > > Terry
> > > http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
> > > http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
> > > http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
> > > This e-mail may be privileged and/or confidential, and the sender does
> not
> > > waive any related rights and obligations. Any distribution, use or
> copying
> > > of this e-mail or the information it contains by other than an
intended
> > > recipient is unauthorized. If you received this e-mail in error,
please
> > > advise me (by return e-mail or otherwise) immediately.
> > >
> >
>
> ***************************************************
> This e-mail is not an official statement of the
> Waikato Regional Council unless otherwise stated.
> Visit our website http://www.ew.govt.nz
> ***************************************************
>
