Virus Klez.H and McAfee

Julian Field jkf at ecs.soton.ac.uk
Thu May 9 10:18:31 IST 2002


At 13:51 08/05/2002, you wrote:
>Freerk Kalsbeek wrote:
> > I've seen a similar problem here.
> > Klez is also detected in my setup with Sophos. I receive an HTML formatted
> > email indicating that I can read details in the attachment virusalert.txt,
> > but the attachment is not there.
>
>I had one this morning which was disinfected but all I see (in Netscape
>Messenger) is a base64 encoded attachment. My guess is that the original
>message uses slightly iffy MIME tags and Julian's insertion of the warning
>doesn't quite work. I've still got what was left if anyone who understands
>MIME or MailScanner better than I wants to look at it?

The Klez worm creates a "multipart/alternative" email message, which is a
right royal pain. I insert all the relevant bits into the email message.
But the email client program (Outlook in this case) doesn't know which of
the alternatives to display and so just displays the last one, which isn't
the VirusWarning.txt (because the VirusWarning.txt is the replacement for
the actual virus code, and so it has to be inserted there).

So with this worm, depending on the email client, you might see some base64
encoded text (harmless), or a virus warning.

Unfortunately I'm not prepared to get into the myre of writing code to
handle one virus differently from all the others, as that is just
unreliable and impossible to maintain.
--
Julian Field                Teaching Systems Manager
jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
Tel. 023 8059 2817          University of Southampton
                             Southampton SO17 1BJ



More information about the MailScanner mailing list