This new GIF based email attack was spammed extensively over the weekend. While GIF files are safe, the HTML body of these email messages contain a trojan horse that could be launched on systems that are not up to date on Windows security patches (from last year MS03-032 and MS03-040). Suspicious GIF files being mailed? http://isc.sans.org//diary.php?date=2004-08-27
There are an increasing amount of suspicious gif attachments to email reported to us. The filenames 1.gif and 2.gif seem to be popular, but it looks like the exploit isn't in the gifs, but rather in the body of the message that tries to download from a -currently down- website. The reports so far indicate outlook warns about ActiveX permissions, but that might not be the case in all instances. Our best preventive advise would be to disable preview panes in outlook, keep anti-virus software up to date at all times, and perhaps consider to return email to plain text as much as possible both when sending and receiving messages. McAfee releases update for 1.gif trojan http://vil.nai.com/vil/content/v_100715.htm
McAfee releases update for 1.gif trojan, This trojan takes advantage of the exploits covered in Microsoft Security Bulletin MS03-032 or Microsoft Security Bulletin MS03-040. McAfee notes that if these patches are applied, you are immune from this virus. McAfee will still and identify the trojan with the latest updates applied. McAfee information on new 1.gif and 2.gif trojans http://vil.nai.com/vil/content/v_100715.htm
Update - 8/27/2004: A mass-mailing of this exploit occurred today. Messages appear as:
Subject: 1 or 2
Attachment: 1.gif or 2.gif
The attachments are simply 8 byte ascii files containing a number. They are not valid GIF files, nor are they infectious. The message body of such messages is typically blank, but contains HTML exploit code to load a page from a remote site, which is currently inaccessible. The code on the remote site may contain additional malware that could be responsible for the sending of the messages.
This detection covers HTML documents that attempt to exploit the Microsoft Security Bulletin MS03-032 or Microsoft Security Bulletin MS03-040 vulnerability. This severity of this vulnerability is considered to be critical. It allows an attacker to execute malicious code, simply by visiting an infectious website. Detections of this exploit do not necessarily mean that any malicious code was executed.
It simply means that an HTML document was found to contain the exploit code. Conversely malicious code may have been run, which could result in any number of modifications to the system. All vulnerable systems should apply the patch from Microsoft. Patched systems are immune from the effects of the exploit code. However, detection will still occur on files attempting to make use of this exploit.