This application requires Javascript for optimal performance.

HTML/Iframe_CID!exploit - Released Aug 12, 2005 - Last Updated Oct 26, 2005

Alias/es

Email-Worm.Win32.NetSky.q [KAV], HTML/FileDownload.E, HTML/Iframe_CID!exploit, W32.Netsky.P@mm!enc [NAV], W32/Netsky.P!Base64, W32/Netsky.P-mm, W32/Netsky.p.eml!exe [McAfee], WORM_NETSKY.P [Trend]

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

  • Email message is retained or blocked due to detection


    • Detailed Analysis

    This detection covers the "RFC 822 mail text" version of the virus W32/Netsky.P-mm. In this form, the virus is in text format - this is only dangerous if the attachment region is reverted to binary form by an email server or email processing application.

    The detection also relates to a specific format and structure of the email message - in such detections, the email will have the an IFrame and WMP exploit construction trick that may run the attachment automatically on some unpatched Windows systems, as in the following example -

    Message has been sent as a binary attachment.

    Or you can view the message at:

    <a href=cid:121401Mfdab4$3f3dL780$75387018@57W81fa70Re height=0 width=0>    *URL*BLOCKED*</a>
    <iframe
    src=cid:121401Mfdab4$3f3dL780$75387018@57W81fa70Re height=0 width=0></iframe>

    Content-Type: audio/x-wav;
    name="message.pif"
    Content-Transfer-Encoding: base64
    Content-ID:<121401Mfdab4$3f3dL780$75387018@57W81fa70Re>
    *ENCODED NETSKY ATTACHMENT*

    Description for W32/Netsky.P-mm.

    Recommended Action



      FortiGate systems:

    • check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the "Allow Push Update" option


    Reference: ID - 102010