eml Viruses

9-19-01
Thank you Microsoft, it is now possible to spread viruses via html files. It is simple really, just use javascript to open an eml file in a new window.

Well, I've just been hit with the W32.NIMDA.A@MM computer worm. No big surprise here. The infection appears to be pretty wide spread.

This Symantec press release says that "its kind of bad", the details are here.

Damage | HTML Code | Registry | MIME Header | References


Damage to My System

riched20.dll should be 422KB, after infection it was 56 kb. Since this dll is used by various applications, some parts of the system no longer worked. I used the System File Checker (c:\win98\system\sfc.exe) to repair this problem (ie, replace the file).

At the time of the infection I was running the Microsoft Personal Web Server (PWS). The following 2 files were written to directories configured in PWS to contain executable content.

These 2 identical files are actually email messages which contain the mime encoded worm readme.exe. However, because the mime type is listed as an audio file, Microsoft exchange will try to play the "sound" file. Of course, Windows will realize that it is actually an exe file and execute it WITHOUT ASKING YOU.

This is the system.ini line which loads the worm.

The MS Word problem was solved by locating and re-naming normal.dot. When re-started, MS Word simply created a new one and only the changes I had made were lost.


HTML Code

The following code is from an infected web page. I won't identify the url since it is a very respected site that was obviously hacked. Simply visiting the page infected MY machine with the virus. (I added the "xx" to the extension so that my example should be safe. Notice that the window is opened way off the screen so that the user is kept clueless.

I can't believe that javascript can be used to open another application. (On the other hand, VBScript does allow this sort of thing.)

On the plus side, my Symantec virus check software located several infected html files in the Internet Explorer cache. Since all of them were from a single web site, I'm pretty sure that those are the files that infected my system.


Relevant Registry Entries

This is the real problem - these registry keys allow Windows to execute files without your permission. As you can see, there are 4 at risk extensions - eml mht mhtml nws.

Based on experiments, it appears that the real danger is through the mime mapping.


MIME Header

This is the malformed header from the eml file.


Other Extensions

This exploit is not limited to just exe files. It can be used by all the executable file extensions - pif and scr (Screen Saver) are quite common. See McAfee's notes on the W32/Badtrans@MM virus for numerous examples.


Note

I know that Microsoft has gone way out of the way to describe these problems without giving specific data. From a general security point of view, I support that approach. However, since I know of companies loosing whole days because of these problems, I decided to publish explicit details (as far as I know them). This is no longer a "hide the details" issue, we're now in disaster recovery and explicit details are necessary to accomplish that.

Most of the details are also given by Symantec.


References


Author: Robert Clemenzi
URL: http:// mc-computing.com / Parasites / eml_viruses.html