HTML/Filedownload

Alias/esExploit-MIME.gen.c [McAfee], Exploit.HTML.FileDownload suspicious [KAV], HTML/Filedownload suspicious
Release DateApr 27, 2005
Detection Availability
Active DatabaseExtended Database
FortiGatelowhigh
FortiClient
FortiMailN/A
Current Antivirus Definition Database Version: 12.338
Description

Visible Symptoms

.

Detailed Analysis

This detection covers the "RFC 822 mail text" version of the virus W32/Netsky.P-mm. In this form, the virus is in text format - this is only dangerous if the attachment region is reverted to binary form by an email server or email processing application.

The detection also relates to a specific format and structure of the email message - in such detections, the email will have the an IFrame and WMP exploit construction trick that may run the attachment automatically on some unpatched Windows systems, as in the following example -

Message has been sent as a binary attachment.

Or you can view the message at:

<a href=cid:121401Mfdab4$3f3dL780$75387018@57W81fa70Re height=0 width=0>
*URL*BLOCKED*</a>
<iframe
src=cid:121401Mfdab4$3f3dL780$75387018@57W81fa70Re height=0 width=0></iframe>

Content-Type: audio/x-wav;
name="message.pif"
Content-Transfer-Encoding: base64
Content-ID:<121401Mfdab4$3f3dL780$75387018@57W81fa70Re>

*ENCODED NETSKY ATTACHMENT*

Description for W32/Netsky.P-mm.

Description Last Updated Date: Aug 19, 2005
Reference: ID - 182422