excellent ! thanks
-ulrich-


>>From the top of my head, I think IFrame wulernabilities go out to the net
> to download the actual infected file without user intervention other than
> simply opening the message.
>
> Look for the text string "iframe" in the archive file and look for any
> suspicious URLs following it.
>