[Mimedefang] New MIME tricks from Klez?

[Nels Lindquist]

I came in this morning after the long weekend to find that MIMEDefang 
had been *extremely* busy.  Lots and lots of Klez being quarantined.

My mimedefang-filter is set up to scan the entire message for viruses 
in filter_begin(), and then scan each attachment in filter(), 
quarantining any parts which contain viruses.

In the majority of altered messages in my inbox, the original Klez-
generated mail has two attachments, one of which is detected and 
quarantined.  The other remains, although my Windoze mail client 
doesn't see it.  I'm not using a MS client, however, and I'm a bit 
worried that some of my users who *are* might be affected.

Is this something new from Klez, or is this simply part of the MIME-
encoding problems which can't be overcome with MIME-tools, etc.?

Near as I can tell, the messages are multipart, with a text/html part 
containing both a copy of the virus and an <iframe> reference to an 
inline attachment with *another* copy of the virus.  The virus within 
the first part is detected and stripped, but the Content-Disposition: 
inline part is not.

Any ideas?

I can forward some examples to interested parties, but unfortunately 
they've already been munged by MIMEDefang, so I don't know exactly 
what the originals looked like.

----
Nels Lindquist <*>
Information Systems Manager
Morningstar Air Express Inc.