HTML/Iframe_CID!exploit

Alias/esEmail-Worm.Win32.NetSky.q [KAV], HTML/FileDownload.E, HTML/Iframe_CID!exploit, W32.Netsky.P@mm!enc [NAV], W32/Netsky.P!Base64, W32/Netsky.P-mm, W32/Netsky.p.eml!exe [McAfee], WORM_NETSKY.P [Trend]
Release DateAug 12, 2005
Detection Availability
Active DatabaseExtended Database
FortiGatelowhigh
FortiClient
FortiMailN/A
Current Antivirus Definition Database Version: 12.339
Description

Visible Symptoms

  • Email message is retained or blocked due to detection


    • Detailed Analysis

    This detection covers the "RFC 822 mail text" version of the virus W32/Netsky.P-mm. In this form, the virus is in text format - this is only dangerous if the attachment region is reverted to binary form by an email server or email processing application.

    The detection also relates to a specific format and structure of the email message - in such detections, the email will have the an IFrame and WMP exploit construction trick that may run the attachment automatically on some unpatched Windows systems, as in the following example -

    Message has been sent as a binary attachment.

    Or you can view the message at:

    <a href=cid:121401Mfdab4$3f3dL780$75387018@57W81fa70Re height=0 width=0>    *URL*BLOCKED*</a>
    <iframe
    src=cid:121401Mfdab4$3f3dL780$75387018@57W81fa70Re height=0 width=0></iframe>

    Content-Type: audio/x-wav;
    name="message.pif"
    Content-Transfer-Encoding: base64
    Content-ID:<121401Mfdab4$3f3dL780$75387018@57W81fa70Re>
    *ENCODED NETSKY ATTACHMENT*

    Description for W32/Netsky.P-mm.

    Description Last Updated Date: Oct 26, 2005
    Reference: ID - 102010