On Fri, Oct 11, 2002 at 01:44:45PM -0700, David Fetrow wrote: > > Just for the record: My copy of F-Prot ID's it as W32/CIH.1049, not Klez > > A Chernobyl Variant. Chernobyl's have been known to attempt > a flash BIOS overwrite and a garbage overwrite to the hard drive; > usually on some specfic date after being pretty quiescent until > then.
Klez.H has been known to carry W95.CIH.1049. See: http://news.com.com/2100-1001-900050.html My own ID was based on more crude means. The header had pretty standard Klez fingerprints: Received: from unknown (HELO Cznlsidrv) bogus HELO hostname of random letters, first letter capitalized. The body had Content-Type: application/octet-stream with a "name" parameter indicating a .jpg file, while my MUA indicated the payload contained a file called "width.exe". "Eager to see you" subject is a familiar Klez subject line. > If that's what it is and there is even a slight chance you were > infected, now would be a good time to run a virus scan. No kidding! It might also be a good time for the lprng list to consider filtering out and sidelining any post with Content-Type: multipart/alternative in the headers, and Content-Type: application/octet-stream in the body. Or doing something more sophisticated. -- ----------------------------------------------------------------- Dan Wilder <[EMAIL PROTECTED]> Technical Manager SSC, Inc. P.O. Box 55549 Phone: 206-782-8808 Seattle, WA 98155-0549 URL http://www.linuxjournal.com/ ----------------------------------------------------------------- ----------------------------------------------------------------------------- YOU MUST BE A LIST MEMBER IN ORDER TO POST TO THE LPRNG MAILING LIST The address you post from MUST be your subscription address If you need help, send email to [EMAIL PROTECTED] (or lprng-requests or lprng-digest-requests) with the word 'help' in the body. For the impatient, to subscribe to a list with name LIST, send mail to [EMAIL PROTECTED] with: | example: subscribe LIST <mailaddr> | subscribe lprng-digest [EMAIL PROTECTED] unsubscribe LIST <mailaddr> | unsubscribe lprng [EMAIL PROTECTED] If you have major problems, send email to [EMAIL PROTECTED] with the word LPRNGLIST in the SUBJECT line. -----------------------------------------------------------------------------
