Nimda is a worm that uses multiple methods to automatically infect other computers. It can replicate through email using an exploit that was made public months before Nimda hit, the MIME Header exploit. BadTrans.B is a mass-mailing worm that distributes itself using the MIME Header exploit. BadTrans.B first appeared after the Nimda outbreak.
With their highly rapid infection rate, both Nimda and BadTrans.B took antivirus vendors by surprise. Though the vendors tried to issue definition file updates as soon as they learned about each virus, the virus had already succeeded in infecting a large number of PCs by the time the antivirus updates were released.
Though both viruses used the same exploit, antivirus vendors had to issue a separate definition file update for each. In contrast, an email exploit detection engine would have recognized the exploit used and identified the attempt to automatically launch an executable file using the MIME header exploit. As a result, it would have blocked both worms automatically, preventing infection.
Other examples of exploits
Double extension vulnerability Viruses: Klez, Netsky and Lovegate.
What it does: Malicious files are given a double extension such as filename.txt.exe to trick the user into running the executable.
URL spoofing exploit
Viruses: No virus/worm has been found to be using this method. However it has been used to inject backdoors on Windows computers.
What it does: Allows spammers and phishers (scammers, or people trying to defraud computer users) to fool users to visit a malicious website instead of a legitimate one.
Object data file execution Viruses: Bagle.Q.
What it does: Allows attackers to automatically infect unpatched versions of Internet Explorer/Outlook (Express) by downloading and executing code from an HTTP site.
The GFI MailSecurity exploit engine
The exploit engine configuration in GFI MailSecurity
Why you need an email exploit detection engine