Help and advice on E-mails downloading a virus using a MIME exploit
Thread Starter
Join Date: Jan 2004
Location: 1/2 a mile to the right of 14 top end of Yeadon
Posts: 123
Likes: 0
Received 0 Likes
on
0 Posts
Help and advice on E-mails downloading a virus using a MIME exploit
I have always taken this Forums advice and never opened e-mail attachments without finding out if they were genuine first.
I normally delete to be safe.In the last fortnight I have had 5 Netsky viruses detected by my AVG anti virus system.I never opened any attachments but only highlighted the e-mails to delete them.I could not understand why the minute I highlighted them a virus alert popped up.
I have now found out that the e-mails were using something called a MIME exploit to try and infect my computer.I use Outlook Express and Incredi Mail.Please explain what a MIME exploit is and is there any way to detect this type of e-mail before highlighting it prior to deleting?So you experts out there please help.
ils32
I normally delete to be safe.In the last fortnight I have had 5 Netsky viruses detected by my AVG anti virus system.I never opened any attachments but only highlighted the e-mails to delete them.I could not understand why the minute I highlighted them a virus alert popped up.
I have now found out that the e-mails were using something called a MIME exploit to try and infect my computer.I use Outlook Express and Incredi Mail.Please explain what a MIME exploit is and is there any way to detect this type of e-mail before highlighting it prior to deleting?So you experts out there please help.
ils32
Join Date: Jan 2004
Location: Bracknell UK
Posts: 357
Likes: 0
Received 0 Likes
on
0 Posts
Hi ILS32,
Did it say which variant you picked up? It should tell you it has found Netsky.x where x is a letter. This denotes the particular one you got. There's 16 different variants on the database at the moment, and it will save me a lot of reading..
Cheers
Liam
---------------------------------------------------------------------------------
A member of the Alliance of Security Analysis Professionals since 2004.
Did it say which variant you picked up? It should tell you it has found Netsky.x where x is a letter. This denotes the particular one you got. There's 16 different variants on the database at the moment, and it will save me a lot of reading..
Cheers
Liam
---------------------------------------------------------------------------------
A member of the Alliance of Security Analysis Professionals since 2004.
Last edited by E-Liam; 5th Apr 2004 at 17:50.
Thread Starter
Join Date: Jan 2004
Location: 1/2 a mile to the right of 14 top end of Yeadon
Posts: 123
Likes: 0
Received 0 Likes
on
0 Posts
Sorry E-Liam I assummed that they would all be similar.The version AVG detected was the Netsky.C and Netsky.D. AVG caught them and put them in its Vault were I deleted it.I just want to be able to stop AVG having to detect them or a new variety which it might miss in the future.
ils32
ils32
Thread Starter
Join Date: Jan 2004
Location: 1/2 a mile to the right of 14 top end of Yeadon
Posts: 123
Likes: 0
Received 0 Likes
on
0 Posts
Have you done any file sharing on Kazaa,
ils32
Join Date: Jan 2004
Location: Bracknell UK
Posts: 357
Likes: 0
Received 0 Likes
on
0 Posts
Hi ILS,
I'm back from work, and have had a quick read up. Unlike most e-mail attachments that are just that, a separate attachment, that can't, if containing a virus, be activated until opened; Netsky, along with the now famous My Doom and Dumari virii are actually embedded in the body of the e-mail itself.
When you click the email notification once, or highlight an email for deletion for whatever reason, you will see a copy of the main body; ie. where you would get the normal text message preview, appear in the lower pane of Outlook. I haven't used Incredimail, but I assume it does something similar. This is all that's needed for the virus to enter your machine. Anything you do with that email must be done by clicking at least once. Once you do that, it's in..
There is a setting in Outlook that stops you from viewing messages in this way, but I can't remember where that is at the moment. I'll try and find out for you.. in the meantime, here are a couple of pages that will give you a clue as to which emails to be wary of..
WORM_NETSKY.C
WORM_NETSKY.D
Cheers
Liam
---------------------------------------------------------------------------------
A member of the Alliance of Security Analysis Professionals since 2004.
I'm back from work, and have had a quick read up. Unlike most e-mail attachments that are just that, a separate attachment, that can't, if containing a virus, be activated until opened; Netsky, along with the now famous My Doom and Dumari virii are actually embedded in the body of the e-mail itself.
When you click the email notification once, or highlight an email for deletion for whatever reason, you will see a copy of the main body; ie. where you would get the normal text message preview, appear in the lower pane of Outlook. I haven't used Incredimail, but I assume it does something similar. This is all that's needed for the virus to enter your machine. Anything you do with that email must be done by clicking at least once. Once you do that, it's in..
There is a setting in Outlook that stops you from viewing messages in this way, but I can't remember where that is at the moment. I'll try and find out for you.. in the meantime, here are a couple of pages that will give you a clue as to which emails to be wary of..
WORM_NETSKY.C
WORM_NETSKY.D
Cheers
Liam
---------------------------------------------------------------------------------
A member of the Alliance of Security Analysis Professionals since 2004.
Thread Starter
Join Date: Jan 2004
Location: 1/2 a mile to the right of 14 top end of Yeadon
Posts: 123
Likes: 0
Received 0 Likes
on
0 Posts
Thanks E-Liam for the explanation.
AVG detected the virus and informed me that it had isolated it and had put it into the vault where I deleted it. Further scans with AVG tell me my computer is clear of the Netsky.C and D.
Is there any benefit in scanning with Housecall?
If I do will AVG + Noadware be affected?
Its just that I am a bit wary of playing about with anything involving the registry which I would have to do if the virus was still on my computer.
ils32
After thought.
If you cann't click on it to delete it when you spot it. What do you do?You cann't just leave it sitting there.So do you delete and hope your anti virus software detects it when you do?
AVG detected the virus and informed me that it had isolated it and had put it into the vault where I deleted it. Further scans with AVG tell me my computer is clear of the Netsky.C and D.
Is there any benefit in scanning with Housecall?
If I do will AVG + Noadware be affected?
Its just that I am a bit wary of playing about with anything involving the registry which I would have to do if the virus was still on my computer.
ils32
After thought.
If you cann't click on it to delete it when you spot it. What do you do?You cann't just leave it sitting there.So do you delete and hope your anti virus software detects it when you do?
The Oracle
Join Date: Aug 2001
Location: Naples, Florida U.S.A.
Posts: 2,902
Likes: 0
Received 0 Likes
on
0 Posts
ILS32,
The advantage of scanning with HouseCall is that it gives you a second opinion. The payload of some viruses is to disable your current antivirus program. (It will look like it is scanning but it is in fact not doing anything.) Since HouseCall is not resident on your computer, it will not fall prey to this type of attack. The second thing is, many people do not update their antivirus program, and my scanning with HouseCall, at least we know the person we are helping has at least one good scan of their system.
Take Care,
Richard
P.S. As long as AVG has the virus quarantined you are safe.
The advantage of scanning with HouseCall is that it gives you a second opinion. The payload of some viruses is to disable your current antivirus program. (It will look like it is scanning but it is in fact not doing anything.) Since HouseCall is not resident on your computer, it will not fall prey to this type of attack. The second thing is, many people do not update their antivirus program, and my scanning with HouseCall, at least we know the person we are helping has at least one good scan of their system.
Take Care,
Richard
P.S. As long as AVG has the virus quarantined you are safe.
E-Liam,
Thanks for that as I'm getting a lot of e-mails with a file attached which I have deleted without opening file. I was concerned however that by OE selecting the title to delete that I might get infected. I'm guessing thathe mails are coming from a club mailing list that I'm a member of.
I'm new to Macs so not too sure how secure they are.
Thanks again.
Thanks for that as I'm getting a lot of e-mails with a file attached which I have deleted without opening file. I was concerned however that by OE selecting the title to delete that I might get infected. I'm guessing thathe mails are coming from a club mailing list that I'm a member of.
I'm new to Macs so not too sure how secure they are.
Thanks again.
