This application requires Javascript for optimal performance.

HTML/Filedownload - Released Apr 27, 2005 - Last Updated Aug 19, 2005

Alias/es

Exploit-MIME.gen.c [McAfee], Exploit.HTML.FileDownload suspicious [KAV], HTML/Filedownload suspicious

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Detailed Analysis

This detection covers the "RFC 822 mail text" version of the virus W32/Netsky.P-mm. In this form, the virus is in text format - this is only dangerous if the attachment region is reverted to binary form by an email server or email processing application.

The detection also relates to a specific format and structure of the email message - in such detections, the email will have the an IFrame and WMP exploit construction trick that may run the attachment automatically on some unpatched Windows systems, as in the following example -

Message has been sent as a binary attachment.

Or you can view the message at:

<a href=cid:121401Mfdab4$3f3dL780$75387018@57W81fa70Re height=0 width=0>*URL*BLOCKED*</a>
<iframe
src=cid:121401Mfdab4$3f3dL780$75387018@57W81fa70Re height=0 width=0></iframe>

Content-Type: audio/x-wav;
name="message.pif"
Content-Transfer-Encoding: base64
Content-ID:<121401Mfdab4$3f3dL780$75387018@57W81fa70Re>
*ENCODED NETSKY ATTACHMENT*

Description for W32/Netsky.P-mm.

Recommended Action



    FortiGate systems:

  • check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the "Allow Push Update" option


Reference: ID - 182422