This file is from the win32.nimda worm, so the box must be infected with that
aswell.
Once the worm gets access to a victim machine's files, it searches all
directories and infects htm, asp and html files
by adding a one line JavaScript code. In every directory with successfully
infected files, the worm drops its own code
in the MIME format as readme.eml or readme.nws. The worm is executed from
within these MIME files when an
infected htm* or asp file is opened.
See: http://www.cai.com/virusinfo/virusalert.htm#win32.nimda.a
Whit
> I viewed the default web page on a machine known to be infected with Code
> Red II. In doing so, another browser window that appeared to be blank
> popped open, and the address in the title bar the name 'readme.eml'
> appeared. When I viewed the source of the page, this is the code that was
> contained there in-- attached as 'readme.txt' just in case it is malicious
> and would affect others using MS Outlook to read this.
>
> Can anybody tell me what purpose this might serve?
>
> ------------------------------------------------------------------------
>
