RE: [Declude.Virus] Forging candidate - JS/IFrame@exp

[John Tolmachoff \(Lists\)]

Woops, wrong one sort of. This one calls another url within the HTML body.   Yes, it is forging.   John Tolmachoff Engineer/Consultant/Owner eServices For You   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Friday, September 17, 2004 2:33 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Forging candidate - JS/[EMAIL PROTECTED]   I think this is the one where the html body calls an object from a URL which will automatticly download the virus payload.   John Tolmachoff Engineer/Consultant/Owner eServices For You   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Friday, September 17, 2004 2:13 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Forging candidate - JS/[EMAIL PROTECTED]   In the last hour we have started to see F-Prot tag something called JS/[EMAIL PROTECTED]  There were 13 of them since 4 p.m. EST and they don't appear at all in yesterday's logs.  This appears to be all spam from forged addresses.  Here are some Mail From addresses according to the Virus log:     [EMAIL PROTECTED]     [EMAIL PROTECTED]     [EMAIL PROTECTED]     [EMAIL PROTECTED]     [EMAIL PROTECTED] And some sample headers retrieved from a failed virus notification (slightly munged by cut and paste). Received: from mx2.mailpure.com [63.170.56.47] by mx1.mailpure.com with ESMTP (SMTPD32-8.05) id AE4C847000A2; Fri, 17 Sep 2004 16:51:24 -0400 Received: from DRAGON-01 ([4.26.147.117]) by mx2.mailpure.com with Microsoft SMTPSVC(5.0.2195.6713); Fri, 17 Sep 2004 16:51:08 -0400 X-Message-Info: 6sXHvz904qYP/ykHtcnKNfQDbcfmM5Kz Received: from chine ([35.244.222.136]) by hqv74-mail.chicano.winsome.compulsion.cable.rogers.com (InterMail vM.5.01.05.12 288-855-644-873-410-51311973) with ESMTP id <[EMAIL PROTECTED]> for <[EMAIL PROTECTED]>; Tue, 17 Aug 2004 21:49:50 +0100 Message-ID: <[EMAIL PROTECTED]> Reply-To: "Elba Lackey" <[EMAIL PROTECTED]> From: "Elba Lackey" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: Bill Gates didnt get one either Date: Wed, 18 Aug 2004 02:45:50 +0600 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="--05066188562662264" Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 17 Sep 2004 20:51:11.0635 (UTC) FILETIME=[10876E30:01C49CF8] I can't find any descriptions for the exploit on the F-Prot site nor on Google.   Thanks, Matt -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================