[Dshield] FW: Email Virus Notification
peter.stendahl-juvonen at welho.com
Mon Apr 26 18:02:58 GMT 2004
list-bounces at lists.dshield.org <mailto:list-bounces at lists.dshield.org> wrote on Monday, April 26,
2004 7:41 PM (EETDST) UTC+3 on behalf of Joseph Stahley 3rd
| Someone on this list is sending emails with MhtRedir.gen exploit. I do not
| have the senders info due to the fact Cox is stripping this info at their
Joseph et al.
Presumably, the email you refer to merely contains a description of an exploit (NOT an actual
exploit). That description (of an example for an exploit) unluckily triggers virus scanners
erroneously detect the description, which contains a similar string of characters than an actual
If that is the case, there is nothing to worry about. Would of course be a good idea to report to
virus scanner vendor(s) and help them in improving their S/W by removing positive false
(Pete Cap wrote one of these examples and Laura Vance responded to the post. Would think posts by
both might erroneously trigger virus alerts. Before that, Bjorn Stromberg and I also posted similar
examples of exploits.)
I have reported one positive false detection in NAV2004 ("Bloodhound.Exploit.6"). Symantec has
confirmed the positive false detection. So far (Saturday Apr 24), Symantec have managed to remove
the false detection triggered by cached web page image. Re-reported Symantec today that when
Bloodhound heuristics is enabled and set to "Highest level of protection" NAV2004 still erroneously
detect the description of an exploit in a MS Word document. The false positive detection occurs
also _when browsing_ the actual web page (at http://secunia.com/advisories/10523/ ) as well. Will
let you know if/when Symantec Technical Support manages holistically to resolve the problem.
"Each problem that I solved became a rule,
which served afterwards to solve other problems."
R. Descartes (1596-1650); French philosopher, scientist and mathematician.
More information about the list