base64 encoding/klez?

Randy Fishel randyf at SIBERNET.COM
Tue Jun 11 05:15:21 IST 2002


  Klez mostly works by making the mailer decode an HTML document, and
hence automatically executing the attached virus.  No need to click on the
attachment as Outlook (at least an unpatched one) will choose to decode
the file and run any programs associated with it.  So most Outlook users
won't even know they have already infected themselves.

  If you decoded the attachment, you should see how this works (another
fine reason to NOT use HTML encoding in e-mail).


On Tue, 11 Jun 2002, Nick Phillips wrote:

> On Mon, Jun 10, 2002 at 09:58:48PM -0500, ISP List wrote:
>
> > I don't doubt that it has been cleaned, but the odd thing is that it
> > appears in the *body* of the message and is not an attachment at all.  It
> > only happens with Klez it seems.  I don't understand why it isn't being
> > treated like any other attachment.
>
> Klez does weird things and, it seems, often doesn't do MIME properly.
>
> It could be that Klez has randomly inserted the file into the body rather
> than as an attachment, and then been cleaned from wherever it was, leaving
> just its debris.
>
>
> Cheers,
>
>
> Nick
> --
> Nick Phillips -- nwp at lemon-computing.com
> Tomorrow, you can be anywhere.
>



More information about the MailScanner mailing list