excellent ! thanks -ulrich- >>From the top of my head, I think IFrame wulernabilities go out to the net > to download the actual infected file without user intervention other than > simply opening the message. > > Look for the text string "iframe" in the archive file and look for any > suspicious URLs following it. >