base64 encoding/klez?

Michael Chaney mdchaney at MICHAELCHANEY.COM
Tue Jun 11 02:45:11 IST 2002

On Mon, Jun 10, 2002 at 05:45:59PM -0500, ISP List wrote:
> When a customer receives a message that had the Klez virus that I am
> assuming was base64 encoded, the user gets the usual "virus found" message
> and the attached virusfound.txt file, that says:
>     /17HXoY-000AMo-00/bgcolor.pif        Found the W32/Klez.h at MM virus
>     Shortcuts to MS-Dos programs are very dangerous in email in bgcolor.pif
> However, in the *body* of the email, this appears:
> Content-Type: application/octet-stream;
>         name=PerformFlightSearch[1].htm
> Content-Transfer-Encoding: base64
> Content-ID: <IxxUSj6h5x1FNh71xh5>
> bmFsLy9FTiI+CjxodG1sPgo8aGVhZD4KPHRpdGxlPk9yYml0ejogRmxpZ2h0IFNlYXJjaCBS
> ZXN1bHRzLSBEb21lc3RpYzwvdGl0bGU+CjxzY3JpcHQgdHlwZT0idGV4dC9qYXZhc2NyaXB0
> IiBsYW5ndWFnZT0iSmF2YVNjcmlwdCIgc3JjPSIvaW5jbHVkZS9icm93c2VyX2RldGVjdC5q

If you'll check it you'll find that it isn't infected.  Klez seems to
attach a couple of files, and (at least with F-Prot) the infected one is
cleaned and sent on.

Michael Darrin Chaney
mdchaney at

More information about the MailScanner mailing list