anomy-list

Re: Announcing sanitizer.pl revision 1.67

From: 119992@xyz.molar.is
Date: Tue 23 Mar 2004 - 22:20:21 GMT

  • Next message: Peter Mueller: "RE: Announcing sanitizer.pl revision 1.67"

    Has anyone noticed a strange behavior caused by emails infected with the
    Netsky-P/Q virus.
    My company has gotten a number of emails, with the message:

       If the message will not displayed automatically,
       follow the link to read the delivered message.

    And a link below that, which has text that looks like:

          www.mycompany.com/inbox/username/read.php?sessionid-#####

    But the link is really an href to some "cid: lotsa junk here"

    I was using Anomy 1.66 until this morning, when I upgraded to 1.67, and in
    both cases, these messages had no actual attachements.
    AFAIK, this virus should have a .zip attachment (most of the time), which I
    would (through my configuration), scan, and quarantine (and that would
    print the msg_file_save in the email), but no message is being displayed,
    and no files are getting quarantined, when the email is delivered without
    an attachment.
    I guess that's a good thing, but I'm wondering why this is happening.
    I know that Netsky-P exploits the "Incorrect MIME Header Can Cause IE to
    Execute E-mail Attachment vulnerability" in IE.
    Could that be causing the sanitizer to get confused, and think that the
    attachment is just junk data, which gets lost???

    Thanks,

    -- Robert



    hosted by molar.is