VirusMIME.Suspicious.exe
Analysis
MIME Exploits
There is a flaw in certain versions of Internet Explorer
prior to (5.5 and earlier except for v5.01 with SP2) that
would allow an attacker to send a specially crafted "wrapper"
email that, when opened,could automatically launch the file
attachment. This flaw affects all programs that uses Internet
Explorer HTML rendering engine (IE, Outlook, etc.). Several
viruses are known to use this exploit, including W32/Klez.H-mm,
W32/Frethem.F-mm
and W32/Swen.A-mm.
FortiGate systems with FortiOS version 2.36 and 2.50 will detect known variants of this "wrapper" email generically under the name MIME.Exploit.gen. FortiGate systems with FortiOS 2.5x and above will detect this threat type generically under the names MIME.Suspicious.exe or MIME.Exploit.gen.
This flaw, and instructions on how to correct it, is covered in great detail by Microsoft Corporation in Technical Security Bulletin MS01-020: Incorrect MIME Header Can Cause IE to Execute E-mail Attachment .
The following section of this document contains several important
excerpts from MS01-020. For the complete bulletin, see the
following Microsoft bulletins:
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
http://support.microsoft.com/default.aspx?scid=kb;EN-US;290108
An expanation, to start...
Because HTML e-mails are simply web pages, IE can
render them and open binary attachments in a way that is appropriate
to their MIME types. However, a flaw exists in the type of
processing that is specified for certain unusual MIME types.
If an attacker created an HTML e-mail containing an executable
attachment, then modified the MIME header information to specify
that the attachment was one of the unusual MIME types that
IE handles incorrectly, IE would launch the attachment automatically
when it rendered the e-mail.
An attacker could use this vulnerability in either of two scenarios. She could host an affected HTML e-mail on a web site and try to persuade another user to visit it, at which point script on a web page could open the mail and initiate the executable. Alternatively, she could send the HTML mail directly to the user. In either case, the executable attachment, if it ran, would be limited only by user’s permissions on the system.
This vulnerability can be eliminated either by installing the patch or upgrading to an unaffected version. However, as discussed in the FAQ and in Knowledge Base article Q308411, customers who upgrade to IE 6 on Windows 95, 98, 98SE or ME must select either Typical Install (this is the default) or Full Install in order to eliminate the vulnerability.
Digging deeper: What’s a MIME type?
Let’s start with what MIME is. MIME is an acronym
for Multipurpose Internet Mail Extensions. It’s a widely
used Internet standard for encoding binary files as e-mail
attachments. When an e-mail contains a binary attachment,
it must specify what type of file the attachment is, so the
mail program can interpret it correctly.
In the case of this vulnerability, IE doesn’t correctly handle certain types of fairly unusual MIME types. If an attacker created an e-mail message containing an executable attachment, and specified that it was one of these MIME types, IE would execute the attachment rather than prompting the user.
For those who want to dig deeper still, a longer and more complicated description of MIME can be found in the following RFC's:
Multipurpose Internet Mail Extensions (MIME) Part One: Format
of Internet Message Bodies, see: http://www.faqs.org/rfcs/rfc2045.html
Multipurpose Internet Mail Extensions (MIME) Part Two: Media
Types, see: http://www.faqs.org/rfcs/rfc2046.html
MIME (Multipurpose Internet Mail Extensions) Part Three: Message
Header Extensions for Non-ASCII Text, see: http://www.faqs.org/rfcs/rfc2047.html
Multipurpose Internet Mail Extensions (MIME) Part Four: Registration
Procedures, see: http://www.faqs.org/rfcs/rfc2048.html
Multipurpose Internet Mail Extensions (MIME) Part Five: Conformance
Criteria and Examples, see: http://www.faqs.org/rfcs/rfc2049.html
The MIME Multipart/Related Content-type, see: http://www.faqs.org/rfcs/rfc2387.html
Would IE always execute the attachment?
IE
will only execute the attachment if File Downloads
were enabled in the Security Zone that the e-mail was opened
in. However, File Downloads are enabled in all zones by default.
For more information on how the Security Zone in Internet
Explorer works, see: http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q174360
What would this vulnerability enable an attacker
to do?
If an attacker created an e-mail that exploits this
vulnerability, she could use it in an attempt to run the executable
attachment on another user’s computer. She could try
to do this through either of two scenarios. First, she could
host the HTML mail on her web site, and try to persuade the
user to visit it. Second, she could send the email directly
to the user.
What kind of actions could the attachment take if
it ran?
The attachment would be able to take any action that
the user himself could take on his system. If he were an unprivileged
user, it might be able to do very little. However, if the
user were an administrator on his system, the attachment would
be able to do virtually anything, including reformatting the
hard drive.
Could an e-mail accidentally be created that would
exploit this vulnerability?
No. To create such an e-mail, an attacker would need
to create an e-mail containing an executable attachment, then
deliberately edit the MIME headers in the mail to be one of
the affected types.
Does this vulnerability affect IE 6?
No. You can eliminate the vulnerability by upgrading to IE
6. However, if you are running Windows 95, 98, 98SE or ME,
you should be aware that you will need to install IE 6 in
a certain way. Specifically, you will need to choose either
the Full Install or Typical Install option. (The default installation
type is Typical Install). If you choose Minimal Install or
Custom Install, the files containing the vulnerability might
not be upgraded, and your system could remain vulnerable.
Customers running Windows NT 4.0, Windows 2000, or Windows XP do not need to concern themselves with this contingency, as IE 6 does not provide either a Minimal or Custom Install option when installing on these systems. Any upgrade to IE 6 on one of these systems would fully eliminate the vulnerability. More information on this is available in Knowledge Base article Q308411.
Recommended Action
If you are using Internet Explorer 6 or above, you are probably safe against this threat, however you will want to consider the information mentioned above.
