RE: Anyone blocking GIF's due to new virus?

  • From: "John Tolmachoff \(Lists\)" <johnlist@xxxxxxxxxxxxxxxxxxx>
  • To: "'[ExchangeList]'" <exchangelist@xxxxxxxxxxxxx>
  • Date: Wed, 1 Sep 2004 10:02:06 -0700

> John, which AV software checks to see if the URL leads to a malcious site?

The AV software will not follow the URL, rather the URL in the body, or the
HTML coding calling it, is a part of the virus signature used in the
definition file.

Example, there is the known Object Data Exploit or Vulnerability. This is
easily found by see the HTML coding string starting with < O B J E C T
(spaces added for security) wherebuy it calls and downloads (attempts) what
ever is at that URL. 

I think it was BagleR that first used it, and the way the AV software caught
the message as infected was because the URL string including the object part
was part of the signature of the virus.

John Tolmachoff
eServices For You

Other related posts: