Hi folks,
            Marius was kind enough to send me a copy of the original email,
including attachments. I've always enjoyed analysing unknown and
potentially malicious files like this - feel free to pass such things on to
me. Yes, I did just say that ;-)
Anyway, in short the email contained an early variant of the Efortune worm
(W32.Efortune.28672 mm) details of which can be found at
mm.html">http://www.symantec.com/avcenter/venc/data/w32.efortune.28672mm.html - to
precis from the writeup : "The W32.Efortune.28672mm worm is an encrypted
mass mailer with backdoor capabilities. It uses IRC to spread."
The other attachment was fortune.zip which contained 2 files, cookie.exe and
a file_id.diz that describes the file as :

" FortuneCookie 32 - Version 1.0
                                * FREEWARE *

DESCRIPTION:
============

        FortuneCookie 32 is a Windows 32 version of the classical
fortune cookies you can get at some restaurants. It's very simple
double clicking on the cookie.exe file will bring up a fortune cookie.
        This program is freeware so feel free to send out a word of
wisdom to your friends!"

The cookie.exe [13/4/2001 16:15 28672 bytes] is actually another copy of the
worm.

Cheers.

----- Original Message -----
From: "Marius Huse Jacobsen" <mahujac2i.net>
[snip]
> Exactly how bad is it? The offending line seems to be
> <iframe src=3Dcid:THE-CID height=3D0 width=3D0></iframe>
>
> Html email was a curse to begin with and it hasn't become any better.
> Can anyone give me that ascii ribbon sig?
[snip]

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]