[XviD-devel] Someone has a virus

Christoph Lampert chl at math.uni-bonn.de
Tue Feb 11 14:55:36 CET 2003


Hi,

somebody connected to XVID seems to have a W32/Klez.h virus, 
maybe he recognizes himself from this description. My first 
assumption is:
T-Online user, IP at Tuesday, 11th, 14:50 is 217.81.4.170,
Maybe some connection to maxhost.de ? 

Must have the XVID file changelog.txt on his disk (22591 bytes).

I just got an e-mail from him with header: 

Received: from [62.67.195.155] (helo=max1.maxhost.de)
        by mx09.web.de with esmtp (WEB.DE(Exim) 4.95 #31)
        id 18iaYY-0005Vc-00
        for gruel at web.de; Tue, 11 Feb 2003 14:34:38 +0100
Received: from Zplzbkib (pD95104AA.dip.t-dialin.net [217.81.4.170])
        by max1.maxhost.de (Postfix) with SMTP id 69C2F443063
        for <gruel at web.de>; Tue, 11 Feb 2003 14:32:16 +0100 (CET)

Information on Klez.h (in german) is available at 
http://www.tu-berlin.de/www/software/virus/aktuell.shtml
(see "April 2002") 

You can detect it from existence of files

Wqk.exe und Wink????.exe in   \Windows\System[32]\

Antivirus e.g. at
http://www.symantec.com/avcenter/venc/data/w32.klez.removal.tool.html

Home that stops it.

gruel 




More information about the XviD-devel mailing list