On Tue, 2001-09-18 at 19:54, Jeff wrote:
> Can anybody tell me what purpose this might serve?
>
> --=====================_1000846456==_
>
> <HTML><HEAD></HEAD><BODY bgColor=#ffffff>
> <iframe src=cid:EA4DMGBP9p height=0 width=0>
Hi Jeff.
You have is a piece of the nimda worm. You can find lots of discussions
and writeups on it right now (to include this list). One of my favorite
writeups comes from F-secure:
http://www.f-secure.com/v-descs/nimda.shtml
The particular bit you have attempts to take advantage of an IE5 hole
that allows for automagic execution of arbitrary code (using email files
- .eml):
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp
The code does this by creating an invisible inline frame within the
document that points to an attached file via the Content-ID URL scheme:
(brief)
http://www.w3.org/Addressing/URL/4_1_Cid.html
(more detail)
http://www.nacs.uci.edu/indiv/ehood/MIME/rfc2111.txt
This CID should reference an attachment called readme.exe which is the
actual worm binary. The fun begins from there.
--
.: Paul Hosking . [EMAIL PROTECTED]
.: InfoSec
.: PGP KeyID: 0x42F93AE9
.: 7B86 4F79 E496 2775 7945 FA81 8D94 196D 42F9 3AE