Assuming the accuracy of everything in M. Thompson's email, an infected email would either have to sit benignly on the client or have to begin the process of delivering its payload. The delivery process would then have to begin with the code's running, either from its own file or from a pre-existing file it has infected or the message envelope. In any of those situations, wouldn't the reconstructed virus still be blocked if (a) there is an AV scanning program at the client side with an appropriate definitions file and (b) the AV program is set to scan on either execution or creation?
-- JN ________________________________________________ Current version is 1.61 | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
