In my last POP3 download, I received two apparently Klez-bearing messages totaling 289 KB, both had Return-Path ending in .il, just like the one you (Sam Heywood) received.
I notice something special in the pattern of these messages, a line <iframe src=cid:... in the HTML part and a matching Content-ID in the attachment subheaders, such as is used to show where to place a graphic image in a document. Maybe this method is used to direct a susceptible email client to execute the attachment regardless of its name in the attachment subheaders? In the example you gave: --S2u3V1Y75pRw4I6W11S19YX45174rQC36Qy Content-Type: text/html; Content-Transfer-Encoding: quoted-printable <HTML><HEAD></HEAD><BODY> <iframe src=3Dcid:H937A1aH013z438O height=3D0 width=3D0> </iframe> <FONT></FONT></BODY></HTML> --S2u3V1Y75pRw4I6W11S19YX45174rQC36Qy Content-Type: audio/x-midi; name=photochildsmiling[1]~exe Content-Transfer-Encoding: base64 Content-ID: <H937A1aH013z438O> [DELETED KLEZ.H VIRUS]
