On Thu, Apr 03, 2003 at 09:46:43AM -0500, Martijn Pieters wrote:

On Wed, Apr 02, 2003 at 08:00:22PM -0800, Dylan Reinhardt wrote:

...

Those of you running Windoze without virus scanning should take note... that mail was infected with W32.Klez.H@mm. Nasty little critter.

More info here: http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.h@mm.html

Actually, it isn't; the zope.org simple scanner that Greg Ward built keeps Klez out, but this one isn't caught by it. It's an IFrame exploit virus as well, though (like Klez).

Okay, I take that back; it *was* a klez.h, but an upstream virus cleaner already tried to defang it, did this in a very ineffective way *and then sent it on its way anyway*. There is an inserted 'virus removed' text in there, with the filename partially overwritten (the last 'e"' of the "whatever.exe" filename is still there), and then the *next* attachement contains a non-executable copy of the virus file. As it wasn't executable, our virus filter let it through. Many other virus filters of list subscribers did pick up on the last attachement and bombarded me with quarantine and mail bounce messages.. *sigh*. So, to summarize, I *think* this one is defanged and harmless, but I am taking actions against such emails anyway. -- Martijn Pieters | Software Engineer mailto:mj@zope.com | Zope Corporation http://www.zope.com/ | Creators of Zope http://www.zope.org/ ---------------------------------------------