[Zope] Agreement and PSF - **virus**

Martijn Pieters mj@zope.com
Thu, 3 Apr 2003 10:19:37 -0500


On Thu, Apr 03, 2003 at 09:46:43AM -0500, Martijn Pieters wrote:
> On Wed, Apr 02, 2003 at 08:00:22PM -0800, Dylan Reinhardt wrote:
> > Those of you running Windoze without virus scanning should take note...
> > that mail was infected with W32.Klez.H@mm.  Nasty little critter.
> > 
> > More info here:
> > http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.h@mm.html
> 
> Actually, it isn't; the zope.org simple scanner that Greg Ward built keeps
> Klez out, but this one isn't caught by it. It's an IFrame exploit virus as
> well, though (like Klez).

Okay, I take that back; it *was* a klez.h, but an upstream virus cleaner
already  tried to defang it, did this in a very ineffective way *and then
sent it on its way anyway*.

There is an inserted 'virus removed' text in there, with the filename
partially overwritten (the last 'e"' of the "whatever.exe" filename is still
there), and then the *next* attachement contains a non-executable copy of
the virus file.

As it wasn't executable, our virus filter let it through. Many other virus
filters of list subscribers did pick up on the last attachement and
bombarded me with quarantine and mail bounce messages.. *sigh*.

So, to summarize, I *think* this one is defanged and harmless, but I am
taking actions against such emails anyway.

-- 
Martijn Pieters
| Software Engineer  mailto:mj@zope.com
| Zope Corporation   http://www.zope.com/
| Creators of Zope   http://www.zope.org/
---------------------------------------------