Why is this type of content dangerous?
VBS files contain commands which, when executed, can do anything on the computer. This includes running malicious code such as viruses and worms. VBS, JS, EXE and many other file types that execute code must therefore be treated as dangerous and should not reach desktop computers, where users may be tricked into running the attachment containing an executable file.

Which viruses made use of this method?
LoveLetter or Love Bug, AnnaKournikova, and a good number of other email worms make use of VBS files to spread and create havoc. Similarly many other worms and viruses spread through EXE and variant extensions which similarly allow commands to be executed on the target machine.

Read more about LoveLetter virus: http://www.gfi.com/news/press.asp?release=newvirus&lcode=
And the AnnaKournikova worm: http://www.gfi.com/news/press.asp?release=kournikovavirus&lcode=

How can I protect against this with GFI MailSecurity?
By default, such a rule is automatically created during installation. If you want to add this rule manually, follow this procedure:
In the GFI MailSecurity configuration, click on Attachment Checking on the left pane, right-click and select "New>Attachment Checking Rule". Make sure that you block VBS, EXE, PIF, BAT, etc.

Will a worm making use of this method run automatically?
Attachments are not normally executed automatically. However, many users are very easily fooled into running dangerous VBS files as proven by worms such as LoveLetter.

How does it work exactly?
Once a VBS file is run, it can do virtually anything a program can through the use of ActiveX components.

Why is this type of content dangerous?
Attachments that end with a Class ID (CLSID) file extension do not show the actual file extension saved and viewed with Windows Explorer. This allows dangerous file types to look as though they are actually innocent files, such as JPG or WAV files. This method may also circumvent attachment checking in some email content filtering solutions.

Which viruses made use of this method?
There are no well-known successful worms or viruses that use this method to trick the user into running an email attachment. However, this method is ripe for exploitation and can be used by hackers to inject Trojan horses inside a corporate network or in future viruses.

How can I protect against this in GFI MailSecurity?
Enable the email exploit engine from the GFI MailSecurity configuration. This test is caught as CLS-ID file extension (ID:1).

Will a worm that uses this method run automatically?
Attachments are not normally executed automatically. However many users are very easily fooled into running dangerous files as proven by worms such as LoveLetter. Attachments using a CLSID extension may further entice the user into running them as their real extension is hidden.

How does it work exactly?
The CLSID file in the example is actually an MDB file. MDB (Microsoft Database) will execute code in the same way as EXE and VBS files, and should therefore be treated as dangerous.

Why is this type of content dangerous?
The MIME exploit makes use of a malformed MIME header and an IFrame tag to trick Outlook Express into running the VBS file in this example. The VBS file is automatically executed upon opening the email, thus making this exploit very dangerous when combined with virulent code.

Which viruses made use of this method?
NIMDA used this method, among others, to disseminate very quickly. This method proved a powerful way for this worm to propagate through email. Other worms which make use of this vulnerability are Klez and BadTrans.B

For more information on Nimda check out: http://www.gfi.com/news/press.asp?release=nimdaworm&lcode=en
More info: http://www.gfi.com/news/press.asp?release=mesnimdavirus&lcode=

How can I protect against this in GFI MailSecurity?
The email exploit engine feature in GFI MailSecurity catches this exploit as MIME header vulnerability (ID:5).

Will a worm that uses this method run automatically?
Yes, a worm that uses this vulnerability can execute automatically. Even if the email target is not vulnerable to this particular security issue, the victim will be asked to run or save the file upon receiving it by email.

How does it work exactly?
A description of this exploit by Microsoft can be found at: http://www.microsoft.com/technet/security/bulletin/ms01-020.asp

Why is this type of content dangerous?
ActiveX within HTML content can circumvent security measures in certain circumstances. Vulnerabilities within Internet Explorer and Outlook allow such content to be executed.

Which viruses made use of this method?
Viruses that use this particular vulnerability usually request the user to follow a link.

For more information about VBS.Loading: http://securityresponse.symantec.com/avcenter/venc/data/vbs.loding.a@mm.html

This example does not require the user to follow a link, but rather relies on the IFrame tag to automatically spawn an instance of Internet Explorer internally and access a web page, which in real life situations could be infectious.

How can I protect against this in GFI MailSecurity?
GFI MailSecurity's email exploit engine catches this exploit. Be sure to enable this feature. In the case of the email security test, this exploit is run using an IFrame tag and therefore GFI MailSecurity will detect the IFrame tag instead.

Will a worm making use of this method run automatically?
Yes, a worm that uses this vulnerability can execute automatically.

How does it work exactly?
A description by Microsoft of this exploit: http://support.microsoft.com/support/kb/articles/Q275/6/09.ASP

I get an error when trying out this test. Why is that?
When a computer is not vulnerable to this particular exploit, the test will not run. Instead a JavaScript error message may appear. This usually means that the machine on which you are trying to run the test on does not have this particular security problem.

My anti-virus program tells me I'm infected with a virus. Why?
Anti-virus programs sometimes detect this test as JS.Exception.Exploit, a method used by many crackers to infect computers. This test is harmless and does not actually infect the target host, but rather makes use of the same methods that hackers use. If this GFI email security test creates a file with information about the host PC, this means your PC is not adequately protected and hackers can enter your computer system.

Why is this type of content dangerous?
Attachments that end with a Class ID (CLSID) file extension do not show up the actual extension of the file when saved and viewed with Windows Explorer. This method allows dangerous file types to look as if they are actually innocent JPG or WAV files. This method may also circumvent attachment checking in some email content filtering solutions. In this case, it can also circumvent the security provided by Outlook XP, which makes use of multi-layered security.

Which viruses made use of this method?
There are no well-known successful worms or viruses which make use of this method to trick the user into running an email attachment. However, this method is ripe for exploitation and can be used by hackers to inject Trojan horses inside a corporate network or in future viruses.

How can I protect against this using GFI MailSecurity?
GFI MailSecurity's email exploit engine detects this on 2 counts, by identifying both exploit attempts: CLSID file extension and IFrame tag.

Will a worm making use of this method run automatically?
This test may run automatically on Outlook clients that do not have attachment security enabled. Those Outlook users who have attachment security enabled or Outlook 2002 will be asked whether to run the file or save it. Many users are very easily tricked into running dangerous files as proven by worms such as LoveLetter. Attachments using a CLSID extension may further entice the user into running them as their real extension is hidden.

How does it work exactly?
The example CLSID file is actually an HTA file. HTA (HTML Application) executes code in the same way as EXE and VBS files, and should therefore be treated as dangerous.

Why is this type of content dangerous?
HTA files contain commands which when executed, can do anything on the computer. This includes running malicious code such as viruses and worms. HTA, VBS, EXE and many other file types that execute code must therefore be treated as dangerous and should not reach desktop computers, where users may be tricked into running the attachment containing an executable file. In this case, this test will also circumvent the security provided by Outlook XP, which makes use of multi-layered security.

Which viruses made use of this method?
There are no well-known successful worms or viruses which make use of this method to trick the user into running an email attachment. However, this method is ripe for exploitation and can be used by hackers to inject Trojan horses inside a corporate network or in future viruses.

How can I protect against this with GFI MailSecurity?
GFI MailSecurity's email exploit engine detects this on 2 counts, by identifying both exploit attempts: Malformed file extension and IFrame tag.

Will a worm making use of this method run automatically?
This test may run automatically on Outlook clients that do not have attachment security enabled. Those Outlook users who have attachment security enabled will be asked whether to run the file or save it. Many users are very easily tricked into running dangerous files as proven by worms such as LoveLetter.

How does it work exactly?
The malformed file extension test makes use of a "feature" in Windows machines, where a filename ending with a dot (.) is truncated at the end, so that the dot is deleted. This way, the attachment can circumvent attachment checking in Outlook XP and possibly also in other email security solutions. Once the attachment is run, it can do virtually anything that a program can.

Why is this type of content dangerous?
This particular example allows VBA (Visual Basic for Applications) code to be automatically executed without any warnings, regardless of the security settings on the target machine. It can be very dangerous to open an email that makes use of this particular method since it runs on any computer that has Internet Explorer.

Which viruses made use of this method?
At the time of writing this exploit is new and has not yet been used to distribute malicious code. However, because it is so easy to exploit, this particular example may become popular among hackers and virus-writers.

How can I protect against this with GFI MailSecurity?
This is detected as an IFrame within an HTML email using GFI MailSecurity's email exploit engine.

Will a worm making use of this method run automatically?
Yes, a worm making use of this vulnerability can execute automatically.

How does it work exactly?
A description by GFI Security Labs of this exploit: http://www.gfi.com/news/press.asp?release=exploitaccessadvisory
For info about the patch issued by Microsoft:
http://www.microsoft.com/windows/ie/downloads/critical/q316059/default.asp

Why is this type of content dangerous?
This particular example allows local files to be automatically executed, regardless of the security settings on the target machine. It can be dangerous to open an email that uses this particular method because it runs on any computer that has an unpatched version of Internet Explorer 6.

Which viruses made use of this method?
At the time of writing, this exploit is new and has not yet been used to distribute malicious code. However, a recent email 'joke' used this exploit to log users off as soon as they tried to read their email.

How can I protect against this with GFI MailSecurity?
GFI MailSecurity's email exploit engine detects this an Object Codebase file execution within an HTML email.

Will a worm making use of this method run automatically?
Yes, a worm making use of this vulnerability can execute automatically.

How does it work exactly?
The Codebase usually points to the installation of an ActiveX component. If the Codebase points at an existent file on the hard disk, in some circumstances (such as in this security test), the file will be executed automatically. A patch is available from Microsoft:
http://www.microsoft.com/windows/ie/downloads/critical/Q321232/default.asp

Why is this type of content dangerous?
This particular example allows files to be downloaded to the desktop machine from a remote HTTP site, regardless of the security settings on the target machine. Once downloaded, the files can be executed. This method allows attackers to circumvent attachment checking such as the security settings in Outlook 2002.

Which viruses made use of this method?
At the time of writing, this exploit is new and has not yet been used to distribute malicious code. However, because it is so easy to exploit, this particular example may become popular among hackers and virus-writers.

How can I protect against this using GFI MailSecurity?
GFI MailSecurity's email exploit shield detects this as an IFrame within an HTML email.

Will a worm making use of this method run automatically?
This test may run automatically on Outlook clients that do not have attachment security enabled. Outlook users who have attachment security enabled and Outlook 2002 users will be asked whether to run the file or save it. Many users are very easily tricked into running dangerous files as proven by worms such as LoveLetter.

How does it work exactly?
The IFrame tag points to a remote HTTP site. This means that no attachments need be used in this method - yet it still presents the danger that the user may run an infected file.
IFRAME tags are not allowed in restricted security zone when the following patch is applied:
http://www.microsoft.com/windows/ie/downloads/critical/Q321232/default.asp

Why is this type of content dangerous?
The Eicar test is a standard test for anti-virus software. This is not a real virus but a test virus.

How can I protect against this in using GFI MailSecurity?
In the GFI MailSecurity configuration, ensure that the anti-virus module is configured to scan all incoming and outgoing emails.

How does it work exactly?
Every standard anti-virus engine has a definition for Eicar. The purpose of this test is to make sure that the anti-virus scanner is running.

Why is this type of content dangerous?
A hacker or virus that uses this vulnerability can bypass the majority of content-filtering solutions that claim to protect against viruses. This exploit renders most server-level virus scanning solutions useless against it.

Which viruses made use of this method?
At the time of writing, this exploit is new and has not yet been used to distribute malicious code. However, because it is so easy to exploit, this particular example may become popular among hackers and virus-writers.

How can I protect against this using GFI MailSecurity?
GFI MailSecurity's email exploit shield detects this as a "Fragmented Message".

Will a worm making use of this method run automatically?
A worm that uses of this method will not run automatically. However, it will manage to bypass most types of server-side security measures.

How does it work exactly?
An advisory with details about this particular attack has been issued by BeyondSecurity - http://www.securiteam.com/securitynews/5YP0A0K8CM.html. This works with Outlook Express and other clients that support message fragmentation. Microsoft Outlook does not support this feature.

I received the test as 5 emails with no explanation. What does this mean?
If you receive the test as 5 emails or do not receive the test at all, this means your email client does not support email defragmentation: The fragmented email containing the virus has not been reconstructed at client level, meaning your system is safe from this type of attack.