"LISTSERV site administrators' forum" <[log in to unmask]>
wrote on 05/12/2004 05:54:20 AM:

> after having tested F-SECURE's AV-checking i'm still not really
> satisfied with the results. for example :
>
> if i'm scanning old listserv-archives it gives the following report :
>
>    '....\listname.logyymm Infection: Exploit.IFrame.FileDownload'
>
> in principle this would be enough information, however this isn't
> reliable. i've scanned and read the file manually i can't find any
> virus in it (only some quoted/printable text).
>
> does anyone have an ideas how i can make the fsecure-report more
> reliable ??

From the top of my head, I think IFrame wulernabilities go out to the net
to download the actual infected file without user intervention other than
simply opening the message.

Look for the text string "iframe" in the archive file and look for any
suspicious URLs following it.