Re: Announcing revision 1.67

Date: Tue 23 Mar 2004 - 22:20:21 GMT

  • Next message: Peter Mueller: "RE: Announcing revision 1.67"

    Has anyone noticed a strange behavior caused by emails infected with the
    Netsky-P/Q virus.
    My company has gotten a number of emails, with the message:

       If the message will not displayed automatically,
       follow the link to read the delivered message.

    And a link below that, which has text that looks like:

    But the link is really an href to some "cid: lotsa junk here"

    I was using Anomy 1.66 until this morning, when I upgraded to 1.67, and in
    both cases, these messages had no actual attachements.
    AFAIK, this virus should have a .zip attachment (most of the time), which I
    would (through my configuration), scan, and quarantine (and that would
    print the msg_file_save in the email), but no message is being displayed,
    and no files are getting quarantined, when the email is delivered without
    an attachment.
    I guess that's a good thing, but I'm wondering why this is happening.
    I know that Netsky-P exploits the "Incorrect MIME Header Can Cause IE to
    Execute E-mail Attachment vulnerability" in IE.
    Could that be causing the sanitizer to get confused, and think that the
    attachment is just junk data, which gets lost???


    -- Robert

    hosted by