Has anyone noticed a strange behavior caused by emails infected with the
Netsky-P/Q virus.
My company has gotten a number of emails, with the message:
If the message will not displayed automatically,
follow the link to read the delivered message.
And a link below that, which has text that looks like:
www.mycompany.com/inbox/username/read.php?sessionid-#####
But the link is really an href to some "cid: lotsa junk here"
I was using Anomy 1.66 until this morning, when I upgraded to 1.67, and in
both cases, these messages had no actual attachements.
AFAIK, this virus should have a .zip attachment (most of the time), which I
would (through my configuration), scan, and quarantine (and that would
print the msg_file_save in the email), but no message is being displayed,
and no files are getting quarantined, when the email is delivered without
an attachment.
I guess that's a good thing, but I'm wondering why this is happening.
I know that Netsky-P exploits the "Incorrect MIME Header Can Cause IE to
Execute E-mail Attachment vulnerability" in IE.
Could that be causing the sanitizer to get confused, and think that the
attachment is just junk data, which gets lost???
Thanks,
-- Robert