base64 encoding/klez?
Michael Chaney
mdchaney at MICHAELCHANEY.COM
Tue Jun 11 02:45:11 IST 2002
On Mon, Jun 10, 2002 at 05:45:59PM -0500, ISP List wrote:
> When a customer receives a message that had the Klez virus that I am
> assuming was base64 encoded, the user gets the usual "virus found" message
> and the attached virusfound.txt file, that says:
>
> /17HXoY-000AMo-00/bgcolor.pif Found the W32/Klez.h at MM virus
> Shortcuts to MS-Dos programs are very dangerous in email in bgcolor.pif
>
> However, in the *body* of the email, this appears:
>
> Content-Type: application/octet-stream;
> name=PerformFlightSearch[1].htm
> Content-Transfer-Encoding: base64
> Content-ID: <IxxUSj6h5x1FNh71xh5>
>
> CjwhZG9jdHlwZSBodG1sIHB1YmxpYyAiLS8vVzNDLy9EVEQgSFRNTCA0LjAgVHJhbnNpdGlv
> bmFsLy9FTiI+CjxodG1sPgo8aGVhZD4KPHRpdGxlPk9yYml0ejogRmxpZ2h0IFNlYXJjaCBS
> ZXN1bHRzLSBEb21lc3RpYzwvdGl0bGU+CjxzY3JpcHQgdHlwZT0idGV4dC9qYXZhc2NyaXB0
> IiBsYW5ndWFnZT0iSmF2YVNjcmlwdCIgc3JjPSIvaW5jbHVkZS9icm93c2VyX2RldGVjdC5q
If you'll check it you'll find that it isn't infected. Klez seems to
attach a couple of files, and (at least with F-Prot) the infected one is
cleaned and sent on.
Michael
--
Michael Darrin Chaney
mdchaney at michaelchaney.com
http://www.michaelchaney.com/
More information about the MailScanner
mailing list