Klez Virus

ArkansasElkHunter

Well-known member
Joined
Jan 19, 2002
Messages
1,748
Reaction score
0
I know this is off the subject but you guys are the only ones I mess with so I thought I should post it here.


I got a message last night from Talltimes_jay or something like that and my machine warned me about it buy i opened it anyway and sure enough it was the Klez virus.  this is an email virus that sends messages from your machine without your knowlege.  You can look at your connection data for bytes sent and recieved.  if you havn't uploaded anything and there is a lot of data going out when you first dial up, then you may be infected.  my norton would not clean it but i did a search and there are a couple of good free downloads and one of them wiped it out.  this is the second time I got it in a month or so, so it has to be someone here on the forum, you guys are the only ones I email.  .  The first time I had no indication, but this time my machine gave me that "may contain a virus, open it anyway" message.  The address looked legite so I risked it.   I't not spread in legitimate messages but the virus picks ramdom email addresses from your machine along with some it gathers up as it goes and creates random messages and attachments and uses other addresses from your machine as the sender address.  If your machine seems to be slower than normal on first starting up, check to see the data it's sending.

Like I said, I'm clean now and it's not carried by legitimate messages, but someone out there who has my email address has it.  I'm sure it is one of you guys, because you are the only ones i email with this address at home.  

anyway, just check it out.  If someone has more info you may want to add to this.
 



Dbworld

Well-known member
Joined
Dec 5, 2001
Messages
415
Reaction score
0
I get that stupid virus all the time...at least once a day.  95% from names i don't recognize.  My antivirus takes care of it before it really gets anywhere.  
 

coyotebandit

Well-known member
Joined
Jan 23, 2002
Messages
1,892
Reaction score
0
I got a couple of those messages also, luckily I have a hotmail account, so no damage done. They were both from members, or former members of this forum. Please scan your email clients for viruses to keep this from spreading.
 

Tinhorn

Well-known member
Joined
Mar 13, 2001
Messages
3,516
Reaction score
0
Altho this catagory belongs over in "Computers" I think more users will see it here.  Mite move it in a few days, also might include it in the Campfire Forum:

I got 13 "Return to Sender" emails this week alone, only the sender was not me, we've been gone since last Thursday but the send dates were all the week we were out of town!    I found this on the internet at Norton's Site:

Tinhorn


W32/Klez.h@MM
I-Worm.Klez.h


Email spoofing
This worm often uses a technique known as "spoofing." When it performs its email routine. it can use a randomly chosen address that it finds on an infected computer as the "From:" address, numerous cases have been reported in which users of uninfected computers received complaints that they sent an infected message to someone else.

For example, Linda Anderson is using a computer that is infected with W32.Klez.H@mm. Linda is not using a antivirus program or does not have current virus definitions. When W32.Klez.H@mm performs its emailing routine, it finds the email address of Harold Logan. It inserts Harold's email address into the "From:" portion of an infected message that it then sends to Janet Bishop. Janet then contacts Harold and complains that he sent her an infected message, but when Harold scans his computer, Norton AntiVirus does not find anything--as would be expected--because his computer is not infected.

If you are using a current version of Norton AntiVirus and have the most recent virus definitions, and a full system scan with Norton AntiVirus set to scan all files does not find anything, you can be confident that your computer is not infected with this worm.
There have been several reports that, in some cases, if you receive a message that the virus has sent using its own SMTP engine, the message appears to be a "postmaster bounce message" from your own domain. For example, if your email address is jsmith@anyplace.com, you could receive a message that appears to be from postmaster@anyplace.com, indicating that you attempted to send email and the attempt failed. If this is the false message that is sent by the virus, the attachment includes the virus itself. Of course, such attachments should not be opened.
The message may be disguised as an immunity tool. One version of this false message is as follows:

Klez.E is the most common world-wide spreading worm. It's very dangerous by corrupting your files. Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it.We developed this free immunity tool to defeat the malicious virus. You only need to run this tool once,and then Klez will never come into your PC.

NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV monitor maybe cry when you run it. If so,Ignore the warning,and select 'continue'. If you have any question,please mail to me.

If the message is opened in an unpatched version of Microsoft Outlook or Outlook Express, the attachment may be automatically executed. Information about this vulnerability and a patch are available at
<http://www.microsoft.com/technet/security/bulletin/MS01-020.asp>
 

mkacala697

Well-known member
Joined
Aug 21, 2001
Messages
110
Reaction score
0
just got one, i think it was from archilous's computer?

said ihis name? maybe but o well, i caught the attachment and deleted the email
 

Tinhorn

Well-known member
Joined
Mar 13, 2001
Messages
3,516
Reaction score
0
Ark Elk Hunter started a post over in Motion Camera's about the spread of this Virus.  I've also been plaqued by returned emails that my PC supposedly sent containing the virus but it's not from my machine.  (See the Article about "Spoofing" I posted in AEH's thread)

Altho this catagory belongs over in "Computers" I thought we'd leave it in the Motion Cam Forum,  for awhile at least, since I don't think the Computer Forum has much activity as some others.  

Are you guys having the same trouble with this Virus?  Should we post something in several of the more active Forums, like the Campfire?  I agree with AEH that a few on this site has the Virus and it's spreading based on our addy's being in those peoples address books.

Norton has a short program on their site that will check the computer for this virus that I think is free (but I'm not sure, since I'm a registered user, it may let me down load it for free)  If it is free to anybody, maybe we should point this program out to the guys and try to get them to run it.....

Tinhorn
 

Tinhorn

Well-known member
Joined
Mar 13, 2001
Messages
3,516
Reaction score
0
Referring to that Long Article I pasted above:

Just because it has's Arche's email addy (or anybody else's) it don't mean it came from them, that's what Spoofing means,   the Virus "Forged" somebodies email address on the email as the sender!

Tinhorn
 

Thonzberry

Well-known member
Joined
Oct 18, 2001
Messages
1,856
Reaction score
0
I got an email from my buddy with the virus attached and he never sent it to me, he was on vacation when I got it. So like Tinhorn said it might not come from the person who says it's from. Make sure you have your anti virus updated.
 

Hill Hopper

Banned
Joined
Mar 10, 2002
Messages
1,570
Reaction score
0
My ISP has pretty good virus blocking, and has intersepted about 5 this week with the e-mail address tmcmkarren@earthlink .net. I tried to e-mail to this address to alert the user, but get it back as undeliverable. May be a spoofing. My Norton shows me as clean.
 

ArkansasElkHunter

Well-known member
Joined
Jan 19, 2002
Messages
1,748
Reaction score
0
You can tell if you have it by watching your bytes sent on your connection info.  if it starts gettin above 100k when you connect without your sending anything, then you may have it.
 

Dbworld

Well-known member
Joined
Dec 5, 2001
Messages
415
Reaction score
0
I got one yesterday from pgumbyxxx  where xxx are numbers i don't remember.  That looks familiar too.    
 

jayber

Well-known member
Joined
Aug 20, 2002
Messages
2,010
Reaction score
0
AEH,

Was the message from Tinehunter_jay?  That is my new e-mail, but I have no knowledge of this Klez virus thinggy.  I just got a new laptop so I would think that it has the latest anti-virus software, but I.S. has let me down before!  My dial-up hasn't been acting right from the get-go.......now you have me worried.  And sorry if it was from me (without knowledge).

(Edited by jayber at 2:57 pm on Aug. 23, 2002)
 

mkacala697

Well-known member
Joined
Aug 21, 2001
Messages
110
Reaction score
0
i assumed it wasnt from arch, just noting thats the email it says,  so if you get anything from him you arent expecting you can watch out

sorry if i sounded incriminating.
 

ArkansasElkHunter

Well-known member
Joined
Jan 19, 2002
Messages
1,748
Reaction score
0
jaber that was it.  the question is did you email me yesterday.  if you did then yo might be the critter.  if not it could have come from someone we both know.  like Miked said.  my new norton said I was clean but the one I downloaded caught it.  can't recall what it was.
 

jayber

Well-known member
Joined
Aug 20, 2002
Messages
2,010
Reaction score
0
I don't think I e-mailed you yesterday, but my memory fails me sometimes.  When was it the you sent me the MS20 pics 'cause I responed to that one I think.  I know I Messenger'd you in here several times yesterday.
 

spectr17

Administrator
Admin
Joined
Mar 11, 2001
Messages
69,574
Reaction score
444
Gizz and me were discussing this a couple weeks ago and trying to figure it out. Tinhorn's post nails it down.

I ran my system virus scan with my Norton AV and then ran Norton's Klez removal tool and no virus was found.

The virus Tinhorn's post talks about is spoofing other people's email address. I figured this since some of the emails supposedly sent from my puter we at times when I was disconnected from the phone line.
 


Top Bottom