Thanks Jim, and all who replied. Updating MS Office w/ latest patches solved the problem. It appears it was the iframe issue you mentioned. Here is the message source for those who asked: ----------------------------------------------------------------- <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META content="MSHTML 5.00.2920.0" name=GENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=#ffffff><br>Mail Delivery - This mail couldn't be displayed<br><br>------------- failed message -------------<br>?2a$dmd-ekH-U?3C)7>JA!p|jxvM>g;ÃOigLW*8hiE<br>G1!K&o*(yÃKAL #s7sMJwAmS2105NtW3%efpG7?$V)4(vf#><br>jHtC8HWc4VfUgtU2l55aWMD.PJK7.YD8bÃ:)pa cn|$qhz<br>VÃ8sÃZmQV4goigoLHcu$w%1hxo|ACKw0B8&ÃOvÃma,Ã<br>V&;N>1:G<br><br>Me ssage has been sent as a binary attachment.<br> Or you can view the message at:<br><br> <a href=cid:121401Mfdab4$3f3dL780$75387018@57W81fa70Re height=0 width=0>www.targetdomain.com/inmail/webmaster/mread.php?sessionid-20302</a> <iframe src=cid:121401Mfdab4$3f3dL780$75387018@57W81fa70Re height=0 width=0></iframe> <DIV> </DIV></BODY></HTML> ------------------------------------------------------------------ -----Original Message----- From: James C Slora Jr [mailto:Jim.Slora@phra.com] Sent: Friday, April 02, 2004 2:30 PM To: 'BugtraQ'; bugtraq@securityfocus.com Subject: RE: Netsky.R, auto execute w/ IE6 ? > I have received several emails (W2K, Outlook 2000) > that appear to be Netsky.Q or Netsky.R. When > opened these emails launch the attachment automatically. > Just to be sure, I did a windows update for all the > latest security patches. Even after this, Outlook > still opens the attached file on viewing the email. The MIME vulnerability should not affect you given the configuration you said you have. Netsky-Q also uses an iframe to try to autolaunch, though - that is probably what you are seeing. Your security settings in Outlook are probably not set to protect against iframe launches. Make sure your mail client is running in the Restricted Sites security zone (Tools>Options>Security>Zone Settings), and that the "Launching Programs and Files in an Iframe" right is set to "disabled" within that zone. Netsky.Q uses the following methods to try to execute the hostile attachment: ***** The social engineering setup: <BODY bgColor=3D#ffffff>If the message will not displayed automatically,<br> follow the link to read the delivered message.<br><br> Received message is available at:<br> A clickable link looks like it points at hotjobs but actually points to embedded executable: <a href=3Dcid:031401Mfdab4$3f3dL780$73387018@57W81fa70Re height=3D0 width=3D0>www.hotjobs.com/inbox/serviceupdate/read.php?sessionid-4524</a> **** An I-Frame tries to auto-execute the embedded executable: Prevent this by running the mail client within the Restricted Sites security zone, and by ensuring "Launching Programs and Files in an Iframe" is disabled within that zone. <iframe src=3Dcid:031401Mfdab4$3f3dL780$73387018@57W81fa70Re height=3D0 width=3D0></iframe> <DIV> </DIV></BODY></HTML> **** And finally the MIME type vulnerability tries to auto-execute the embedded executable. This exploit should be stopped by IE 6 or by MS01-020. Your computer probably does not try to execute from this. ------=_NextPart_001_001C_01C0CA80.6B015D10-- ------=_NextPart_000_001B_01C0CA80.6B015D10 Content-Type: audio/x-wav; name="message.scr" Content-Transfer-Encoding: base64 Content-ID:<031401Mfdab4$3f3dL780$73387018@57W81fa70Re>
