Results 1 to 12 of 12
  1. #1
    2 Star Lounger
    Join Date
    Jan 2001
    Posts
    114
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Klez virus attachment (2002 SP-1)

    I have received a dozen emails during the last 2 days with the attachment infected with a Klez virus.
    My Norton AV program detects them.
    The sender field is different for every email but makes no sense anyways.
    Is there any way that I can begin to determine where these emails are coming from and thereby stop them?
    Thanks
    Norman

  2. #2
    Super Moderator
    Join Date
    Dec 2000
    Location
    Renton, Washington, USA
    Posts
    12,560
    Thanks
    0
    Thanked 4 Times in 4 Posts

    Re: Klez virus attachment (2002 SP-1)

    At Norton's I found the following at http://www.symantec.com/avcenter/venc/data....klez.h@mm.html

    This worm searches the Windows address book, the ICQ database, and local files for email addresses. The worm sends an email message to these addresses with itself as an attachment.

    Worm randomly chooses a file from the machine to send along with the worm to recipients. So files with the extensions: ".mp8" or ".txt" or ".htm" or ".html" or ".wab" or ".asp" or ".doc" or ".rtf" or ".xls" or ".jpg" or ".cpp" or ".pas" or ".mpg" or ".mpeg" or ".bak" or ".mp3" or ".pdf" would be attached to e-mail messages along with the viral attachment

    +++++++++++++++++++++++++++++++++++++++++++
    With the above information, it could be coming from any one or several people that has your address.

    Now running HP Pavilion a6528p, with Win7 64 Bit OS.

  3. #3
    2 Star Lounger
    Join Date
    Jan 2001
    Posts
    114
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Klez virus attachment (2002 SP-1)

    Hello Dave: I know about that Norton address. Woody provided it in his Office Watch update 7.16.
    I ran the removal tool after the first indication of an incoming virus and I have scanned my PC completely twice since. I wanted to feel sure that I was not the culprit in some way.
    I understand that they could be coming from a variety of sources.
    Since the From field contains no recognizable address to me, can the header information be decoded to give any indication as to where the messages originated? If so, where can I find an explanation of the header protocol?
    Also, I was wondering, if I do attempt to contact the unknown addresses, could I be opening my email address and/or PC up to other unknown intrusions?
    Thanks
    Norman

  4. #4
    Super Moderator
    Join Date
    Dec 2000
    Location
    Renton, Washington, USA
    Posts
    12,560
    Thanks
    0
    Thanked 4 Times in 4 Posts

    Re: Klez virus attachment (2002 SP-1)

    I would NEVER attempt to contatct a UNKNOWN address. If the sender is known then, YES contact them and let them know that you have received a virus from them.

    In Outlook, if you right click meaasge and select "Properties" you will be abe to see that path that the message was sent in. I think it is the same in OE.

    Thanks,
    David C Abernathy
    Windows XP associate eXPert
    DaveA@SchmeckAbernathy.com

    Now running HP Pavilion a6528p, with Win7 64 Bit OS.

  5. #5
    3 Star Lounger
    Join Date
    Dec 2000
    Location
    Texas, USA
    Posts
    374
    Thanks
    1
    Thanked 0 Times in 0 Posts

    Re: Klez virus attachment (2002 SP-1)

    Since just previewing of message will infect the system, it is not a good idea even just to "look" at any suspicious mail. It is strongly suggest to move all the mails to a webmail server. Check all the mails there first before downloading them into local machine.

  6. #6
    Super Moderator
    Join Date
    Dec 2000
    Location
    Renton, Washington, USA
    Posts
    12,560
    Thanks
    0
    Thanked 4 Times in 4 Posts

    Re: Klez virus attachment (2002 SP-1)

    Norton 2002 checks all incoming and one can set it to check out going email. If one is using a anti-virus, it had better be checking all in coming mail including attachments or you better get a different one.

    I have been hit many times and Nortons was there and nailed every one of those suckers. These have all been attachments. I also have ALL extentions shown so I can see what is attached. These files were ALL from people that I know and are all running one of those <img src=/S/free.gif border=0 alt=free width=30 height=15> AV programs that one does not need to do anything to be kept up to date, B <img src=/w3timages/censored.gif alt=censored border=0>T, time to get a real anti virus program or quick sending email.

    Now you have heard my <img src=/S/2cents.gif border=0 alt=2cents width=15 height=15>

    Now running HP Pavilion a6528p, with Win7 64 Bit OS.

  7. #7
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: Klez virus attachment (2002 SP-1)

    I have seen a number of these, and I believe that the virus does not swap out the Reply-to address. If you right-click the message in the Inbox, choose Options, and scan the Internet headers for a Return-Path or Reply-to field, you might be able to determine the source, or should I say, unfortunate victim. The same person might have sent you several copies. This is a nasty one.

    (As long as we're doing product plugs, I like Trend Micro's OfficeScan, which is the original centrally managed antivirus for the corporate desktop. Trend's home product is called PC-Cillin and now includes a personal firewall. I haven't tried that one.)

  8. #8
    Star Lounger
    Join Date
    Jan 2002
    Location
    Suffolk, England
    Posts
    60
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Klez virus attachment (2002 SP-1)

    Thanks re options, etc - i've been going nuts trying to work out how to read msg headers in Outlook as opposed to OE.

  9. #9
    Plutonium Lounger Leif's Avatar
    Join Date
    Dec 2000
    Location
    U.K.
    Posts
    14,010
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Klez virus attachment (2002 SP-1)

    'Options' is hardly the most obvious title, is it?
    With a message open, right_click on the toolbar, customise, and add the 'Options' button to your toolbar. Every message you open thereafter will divulge its secrets with but a single click.

  10. #10
    Star Lounger
    Join Date
    Jan 2002
    Location
    Suffolk, England
    Posts
    60
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Klez virus attachment (2002 SP-1)

    better&better - thanks Leif. <img src=/S/clapping.gif border=0 alt=clapping width=19 height=23> <img src=/S/clapping.gif border=0 alt=clapping width=19 height=23>

  11. #11
    2 Star Lounger
    Join Date
    Jan 2001
    Posts
    114
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Klez virus attachment (2002 SP-1)

    This morning there were no Klez infections detected!
    I do have Norton configured to check incoming and out going mail.
    After looking at the header of all the emails, I noticed that the Return-Path: is different from the From: value normally seen on an email. On valid emails these values are the same.
    Finally I have noticed a pattern, every Return-Path: has the same email address so my problem was probably originating form there.
    Conclusion, if I want to be real sure of where a message is coming from, I should check the Return-Path value in the header.
    After searching my Outlook contacts, I found one email previously sent to the common Return-Path address. The sender mystery appears to be solved at the same time as they stopped sending the messages.
    Thanks for listening and offering suggestions.

  12. #12
    Star Lounger
    Join Date
    Jan 2002
    Location
    Suffolk, England
    Posts
    60
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Klez virus attachment (2002 SP-1)

    RETURN PATHS

    Usually the same - but not necessarily - if user has a domain registered which his ISP will not support, a little ingenuity is required, unless the hoster suports SMTP as well as POP3 - whihc the cheaper ones seem not to.

    Thanks for the thread BTW - very educational -[img]/forums/images/smilies/smile.gif[/img]

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •