Are you the Klez monster?
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Are you the Klez monster?

  1. #1
    System_Overload
    Guest

    Post Are you the Klez monster?

    It may only be a matter of time before you're accused of spreading the Klez virus.
    A month after it started spreading, the Klez.h worm isn't slowing down, said antivirus experts on Friday. Moreover, the worm's technique of forging the address of the sender on each infected e-mail message is creating a flood of warnings from gateway antivirus software informing the wrong people that they are infected.

    "A lot of traffic is being multiplied by the response mechanisms and refusal mechanisms," said Fred Cohen, security practitioner in residence at the University of New Haven.



    In many cases, antivirus software protecting a company's e-mail gateways is sending out a response to each infected e-mail inadvertently sent out by a victim--but that warning is going to the wrong person. "So, in effect, you're getting twice the fun you would normally get," Cohen said.

    Apart from magnifying the amount of spam produced by the virus, the incorrect identification of those who are infected is also responsible for hindering efforts to fight the spread of the worm, said Cohen.

    Faked addresses
    The Klez.h variant, which appeared in mid-April, infects PCs whose users open the attachment to an infected e-mail. Confusing matters, the e-mail will have a random "from" address, selected from various sources on the original victim's hard drive. And it pairs this bogus sender's address with one of more than 120 different subject lines.

    When a user opens the attachment, the virus starts up its own e-mail engine and mass mails itself to e-mail addresses found in various files on the PC, using a source address culled from those addresses. Klez.h can also send out a random file from the PC as an attachment, along with the e-mail that carries the worm, potentially passing confidential information.

    In some instances, the worm also drops one of several other viruses, including the destructive CIH, and tries to remove any active antivirus software from the system.

    Overall, the Klez.h variant has been extremely successful.

    "The spread has been really steady," said John Harrington, director of U.S. marketing for e-mail service provider MessageLabs. "We've seen 20,000 again today (Friday), and there's no indication that this is dying down."

    While the worm has not spread as quickly as, say, the LoveLetter virus—of which MessageLabs received one copy for every 23 legitimate e-mails during the virus' peak in May 2000--it does make up one out of nearly every 170 e-mails, Harrington said.

    In fact, the steady spread--rather than a firestorm of e-mails—may actually be part of the reason for the worm's success, said Harrington. The Klez.h variant did manage to top the charts of computer viruses in April.

    "It kind of cruises below the radar screen," Harrington said. "Everyone had heard of LoveLetter. But if you go into a computer shop and ask people if they've heard of Klez, they'll shake their heads."

    Hard to track
    The Klez variant's ability to spoof the source of infected e-mail makes it nearly impossible to track down the infected users who sent the virus.

    "The whole spoofing thing adds a dimension to it that is a little different," said Vincent Gullotto, vice president of Network Associates' antivirus emergency response team. "It's definitely possible that the false addresses are slowing response."

    Network Associates still receives more than 50 reports a day of the worm from customers, and some corporate clients are seeing more than 20,000 messages carrying the virus at their e-mail gateways.

    The response to Klez--that uninfected users are being told they sent a virus--shows the holes in the system, added Gullotto.

    In addition, some out-of-the-office auto-reply mechanisms may be going haywire as a result of an infected user sending an e-mail with a random source and receiver who are both away.

    "I am sure there are some auto-reply wars that have been going on," Gullotto said. "There has been a lot of mail that is going around that is caused by this."

    Until system administrators disable antivirus notification on the e-mail gateway servers, the confusion will only continue.


    System_0verload

  2. #2
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,424
    Quoting a source is always a nice thing to do

  3. #3
    System_Overload
    Guest

    Thumbs up

    Source was an email from a buddie....
    I get web news in my emails.....


    System_0verload

  4. #4
    Senior Member
    Join Date
    Apr 2002
    Posts
    324
    I have been bombarded by the Klez.h variant of W32.Klez.gen@mm over the last week. Obviously I didn't open the emails 'cos they just look like a virus, but it was still a concern. So yesterday I did a bit of playing and found that the mailfrom address in these mails was in this format:

    sales-owner@domain sends to sales@domain
    sysadmin-owner@domain sends to sysadmin@domain
    support-owner@domain sends to support@domain
    So I re-configured my mail server to automatically drop any email containing the string
    "-owner" before the @ sign. Guess what...no more klez-mails

    If you don't own your own mailserver you could do something similar using junk mail filtering or mail processing rules (depends on your o/s and mail client - rtfm )

    The latest Virus definitions for Nortons AVTK will catch variants of the W32.Klez.gen@mm virus so also be advised to update your virus definitions file.

    If you believe you have been infected you can download the Symantec Klez removal tool from my ftp server at:
    ftp://195.8.181.206/antivirus/FixKlez.com
    \"I may not agree with what you say, but I will defend to the death your right to say it.\"
    Sir Winston Churchill.

  5. #5
    Senior Member
    Join Date
    Feb 2002
    Posts
    253
    I have received several emails with Klez.H. While the Sender portion of the emails are spoofed. the Reply To portion of each header gives the email address of the Klez-infected computer.

    Here is a link to a discussion on that subject:

    Klez Talk



  6. #6
    Senior Member
    Join Date
    Apr 2002
    Posts
    324
    There are a number of variants of the W32.Klez.gen@mm virus - I have only tried my drop "-owner" mail theory on the one I was getting, and it solved it. I was not suggesting this as an alternative to keeping your virus defenitions up to date however.

    Also the klen removal tool I included a link to should however all known variants.

    My wife is home from the hospital
    Good news Nothing too serious I hope!
    \"I may not agree with what you say, but I will defend to the death your right to say it.\"
    Sir Winston Churchill.

  7. #7
    Senior Member
    Join Date
    Feb 2002
    Posts
    253
    HeyNtsa:

    Thanks for the message about my wife & the hospital. She was admitted to the same hospital in 10/01; 1/02;2/02;3/02;4/02 & 5/02.
    The underlying cause of all the admissions is the same.

  8. #8
    Senior Member
    Join Date
    Apr 2002
    Posts
    324
    Ouch! Sorry. Wish her well...

    Nice comments about the reply to field btw - I can now send people links to the klen removal tool! Thx 4 that Have some greenies!
    \"I may not agree with what you say, but I will defend to the death your right to say it.\"
    Sir Winston Churchill.

  9. #9
    Senior Member
    Join Date
    Apr 2002
    Posts
    324
    I wrote this because of the multi national origins of the senders of the klez virus. If you use it don't forget my greenies!

    >>English version.

    You seem to have sent me the klez.h virus. The klez virus is an email based mass-mailer worm that searches your hard drive for email addresses to which it then forwards itself. You can find more information on the klez.h worm on the symantec website (who produce the Nortons AVTK) at:
    http://securityresponse.symantec.com...klez.h@mm.html

    You can download the klez removal tool from the click and build ftp server at:
    ftp://195.8.181.206/antivirus/FixKlez.com

    Save the file to your desktop and then double click it.

    If you have any questions or queries related to this matter please do not hesitate to email me and I will get back to you as soon as possible.

    >>En Français.

    Vous semblez m'avoir envoyé le virus de klez.h. Le virus de klez est un ver d'masse-annonce basé par email qui recherche votre commande dure les adresses d'email auxquelles il s'expédie alors. Vous pouvez trouver plus d'information sur le ver de klez.h sur le website de symantec (qui produit le Nortons AVTK) à: http://securityresponse.symantec.com...klez.h@mm.html

    Vous pouvez télécharger l'outil d'enlèvement de klez du déclic et construire le ftp server à: ftp://195.8.181.206/antivirus/FixKlez.com

    Économiser le dossier à votre dessus de bureau et doublez alors le déclic il. Si vous avez n'importe quelles questions ou les questions liées à cette matière veuillez ne pas hésiter à l'email j'et j'obtiendrai de nouveau à vous aussitôt que possible.

    >>En Español.

    Usted se parece haber enviadome el virus de klez.h. El virus del klez es un gusano basado email del masa-anuncio publicitario que busca su impulsión dura para las direcciones del email a las cuales entonces se remite. Usted puede encontrar más información sobre el gusano de klez.h en el website del symantec (quién producto el Nortons AVTK) en: http://securityresponse.symantec.com...klez.h@mm.html

    Usted puede descargar la herramienta del retiro del klez del tecleo y construir el ftp server en: ftp://195.8.181.206/antivirus/FixKlez.com

    Excepto el archivo a su tablero del escritorio y entonces doble el tecleo él. Si usted tiene cualesquiera preguntas o las preguntas relacionadas con esta materia no vacilan por favor en el email yo y conseguiré de nuevo a usted cuanto antes.

    >>In Italiano.

    Sembrate trasmettermi il virus di klez.h. Il virus del klez è una vite senza fine del massa-bollettino basata email che cerca il vostro azionamento duro gli indirizzi del email a cui allora si spedisce. Potete trovare le più informazioni sulla vite senza fine di klez.h sul website dello symantec (chi prodotti il Nortons AVTK) a: http://securityresponse.symantec.com...klez.h@mm.html

    Potete trasferire l'attrezzo dal sistema centrale verso i satelliti di rimozione del klez dallo scatto e costruire il ftp server a: ftp://195.8.181.206/antivirus/FixKlez.com

    Risparmi la lima al vostro tavolo ed allora raddoppi lo scatto esso. Se avete qualunque domande o le domande relative a questa materia non esitano prego al email me ed otterrò appena possibile di nuovo voi.

    >>Auf Deutsch.

    Sie scheinen, mir das klez.h Virus geschickt zu haben. Das klez Virus ist eine email gegründete Masse-Werbung Endlosschraube, die Ihren harten Antrieb nach email Adressen sucht, zu denen es sich dann nachschickt. Sie können mehr Informationen über die klez.h Endlosschraube auf dem symantec website (wer Erzeugnis das Nortons AVTK) an finden: http://securityresponse.symantec.com...klez.h@mm.html

    Sie können das klez Abbauwerkzeug vom Klicken downloaden und ftp server an errichten: ftp://195.8.181.206/antivirus/FixKlez.com

    Außer der Akte zu Ihrem Schreibtisch und verdoppeln Sie dann Klicken es. Wenn Sie irgendwelche Fragen haben, oder die Fragen, die auf dieser Angelegenheit bitte bezogen werden, nicht zu email ich zögern und ich erhalte zurück zu Ihnen so bald wie möglich.

    >>日本語.

    こんにちは… あなたは私にklez.h のウイルスを送るようである。Klez のウイルスは電子メールによって基づいている固まり郵便利用者みみずである電子メールの住所をあなたの堅いドライブを捜す進める。あなたはsymantec のwebsite (だれ農産物Nortons AVTK か) の klez.h みみずのより多くの情報をで見つけることができる: http://securityresponse.symantec.com...klez.h@mm.html

    あなたはかちりと言う音からのklez の取り外し用具をダウンロードし, ftp サーバをで造ることができる: ftp://195.8.181.206/antivirus/FixKlez.com

    あなたの卓上へのファイルを除けばそれからかちりと言う音をそれ倍増すれば。 あなたがどの質問でも有するか, またはこの問題と関連している問い合わせが電子メールへ私と躊躇しなければ私はあなたへできるだけ早く戻る。

    >>用中文.

    喂-- 你好似寄发我klez.h 病毒。Klez 病毒是寻找你的硬盘电子邮件地址它然后批转的电子邮件基于的大量邮件蠕虫。你能发现更多信息关于klez.h 蠕虫在symantec 网站(谁产物Nortons AVTK) 于: http://securityresponse.symantec.com...klez.h@mm.html

    你能下载klez 撤除工具从点击和修造文件传送规约服务器于: ftp://195.8.181.206/antivirus/FixKlez.com

    保存文件对你的桌面和然后加倍点击它。 如果你有任何问题或询问与这个问题有关请不犹豫对电子邮件我和我尽快将得到回到你。
    \"I may not agree with what you say, but I will defend to the death your right to say it.\"
    Sir Winston Churchill.

  10. #10
    Senior Member
    Join Date
    Oct 2001
    Posts
    255
    i got klez wiht CIH, and i had to format the drive and reinstall winMe, and used a proggie to clean m inbox, incase it was in there.
    nad i run the fixklez, every days or so.
    http://www.attrition.org/gallery/computing/forum/tn/youarenot.gif.html

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •