A vulnerability in the Microsoft browser Internet Explorer, which lies in an error in the handling of MIME commands in e-mail messages, is one of the most-widely used flaws by virus writers for spreading their creations as rapidly as possible. Klez.I is a clear example of the danger of this vulnerability, as this malicious code has been causing damage to users’ computers for the last twelve months.
MIME (Multipurpose Internet Mail Extension) is a system that allows images, programs or any other type of file that is not plain text to be included in e-mail messages. When this happens, the MIME specification generates lines in the message header that specify the file type, its size, the different parts, etc.
This vulnerability lies in the fact that many e-mail clients do not correctly process certain MIME formats. As a result, if the e-mail message header is modified so that its fields contain special characters, it can cause an attachment to run automatically, without the user being able to prevent it. An example of this is the file carrying Klez.I, which passes itself off as a sound file. By doing this, it tricks the browser into believing that the file that it is going to run is ‘healthy’, whereas the it actually runs a file containing the worm.
Panda Software antivirus solutions can detect if the e-mail message header has been modified to exploit this MIME vulnerability. Thanks to this feature, even if the e-mail client is affected by this problem, the attached file will not be run.
These solutions are not only capable of detecting this vulnerability, but many other flaws that future viruses could exploit in order to spread. For example, files that are not written in plain text could be sent as plain text, if encoded using BASE64 or UUEncode (Unix to Unix Encode) systems. If the characters 00h were inserted at the beginning of a BASE64 encoded file, an antivirus may not scan the file as it could considered it corrupt, whereas the mail reader could be able to ‘fix’ this error and display the file or even run it. The same problem arises with some mail readers if certain MIME fields contain more than 4,101 characters.