Klez sneaks by POP3 Scanner

Discussion in 'NOD32 version 1 Forum' started by harrier47, Jan 19, 2003.

Thread Status:
Not open for further replies.
  1. harrier47

    harrier47 Registered Member

    Joined:
    Jan 19, 2003
    Posts:
    2
    Location:
    Pacific Northwest USA
    So, I get this "Undeliverable Mail" from "Postmaster at AOL."

    No alarms go off, but it has two harmless attachments, and a third, a small file named "PAS" no extension. I save it to disk, check with NOD32, to find it ID'd as Win32/JKlez.

    Now, I assume it got by the POP3 scanner since it had no extension. Is it launchable without an extension? (I didn't try it, it's gone now.)

    J Smith
     
  2. rodzilla

    rodzilla Registered Member

    Joined:
    Jun 15, 2002
    Posts:
    653
    Location:
    australia
    Klez usually travels as a self-executing script in the body of an email. It sounds like your attachment was the Klez script in non-executable form. NOD32 would ignore it unless you scanned tor files without extensions, as it was harmless in that state.
     
  3. harrier47

    harrier47 Registered Member

    Joined:
    Jan 19, 2003
    Posts:
    2
    Location:
    Pacific Northwest USA
    Thankee, sir. I suspected as much, but hadn't encountered this particular wrinkle to the pesky Klez.

    J Smith
     
Thread Status:
Not open for further replies.