It is worse than that. The virus is passing it's self off as audio/x-wav; ----- Original Message ----- From: "Jim Seymour" Newsgroups: spamcop.geeks Sent: Tuesday, September 18, 2001 11:10 AM Subject: New Virus/Worm Email
I just received an interesting email. It made it past my virus filters, but a report on the NTBugTraq mailing list is reporting it as some kind of unknown worm that attacks IIS machines.
The message itself uses an attachment with a content type of audio/x-wav, but with a name of "readme.exe". I've got the security settings tightened down, but even so, Outlook Express asked me whether I wanted to open the embedded attachment.
Here is the email that I received (without the encoded attachment, of course). Note the long Subject line and the HTML iframe that refers to local content. Keep you eye on this one...
-- Jim Seymour
Received: from TGLNT (mail.tricongroup.com []) by mail.cipher.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id SVNKL1PC; Tue, 18 Sep 2001 08:15:28 -0700 From: <3dzvi51gehej@4ax.com> Subject:
Xtoprecvranalyzerdiskstrreadmec2supprttablecoltoprecvraps32analyzerdefaultus ergr
pcinforccidbutilappevent MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="====_ABC1234567890DEF_====" X-Priority: 3 X-MSMail-Priority: Normal X-Unsent: 1
--====_ABC1234567890DEF_==== Content-Type: multipart/alternative; boundary="====_ABC0987654321DEF_===="
--====_ABC0987654321DEF_==== Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
<HTML><HEAD></HEAD><BODY bgColor=3D#ffffff> <iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0> </iframe></BODY></HTML> --====_ABC0987654321DEF_====--
--====_ABC1234567890DEF_==== Content-Type: audio/x-wav; name="readme.exe" Content-Transfer-Encoding: base64 Content-ID: <EA4DMGBP9p>