Klez.E Anti-Virus-Virus

[Matty_Cross]

Ohhh, lucky me.. someone thinks I'm special enough to share this free tool with... don't I feel special.... now, if only I knew who you were, I might have paused 2 seconds before deleting it....

Received: from hoorn.tcc.to (mail.kalinet.to [207.124.73.129]) by <removed> with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13)
id LXF26PJK; Thu, 6 Jun 2002 05:56:20 +1000
Received: from Bzxvfrpjj (dialup30 [209.58.72.161])
by hoorn.tcc.to (8.11.6/8.11.6) with SMTP id g55JjBH31775
for <removed>; Thu, 6 Jun 2002 08:45:11 +1300
Date: Thu, 6 Jun 2002 08:45:11 +1300
Message-Id: <200206051945.g55JjBH31775@hoorn.tcc.to>
From: tafolo <tafolo@kalianet.to>
To: <removed>
Subject: Worm Klez.E immunity
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=Zi50fb3wZ99ox7qy5by

--Zi50fb3wZ99ox7qy5by
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

--Zi50fb3wZ99ox7qy5by
Content-Type: application/octet-stream;
name=AND.scr
Content-Transfer-Encoding: base64
Content-ID: <U38tyoHT03>

--Zi50fb3wZ99ox7qy5by

--Zi50fb3wZ99ox7qy5by
Content-Type: application/octet-stream;
name=button-arrow-back[1].jpg
Content-Transfer-Encoding: base64
Content-ID: <U38tyoHT03>

--Zi50fb3wZ99ox7qy5by--



Klez.E is the most common world-wide spreading worm.It's very dangerous by corrupting your files.
Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it.
We developed this free immunity tool to defeat the malicious virus.
You only need to run this tool once,and then Klez will never come into your PC.
NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV monitor maybe cry when you run it.
If so,Ignore the warning,and select 'continue'.
If you have any question,please mail to me.

Tricky, eh?
All these little tricks the kiddies have.... your constantly under attack... with nerf guns, but still its an attack....

You might want to warn your users, or block this email, using the header information I provided (I'm pretty sure there's enough there to do it)...

If the person had been a little more careful (with their wording), and faked the sender address, this could fool quite a lot of people... yes, stupid people are people too..

[Conf1rm3d_K1ll]

NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV monitor maybe cry when you run it.
If so,Ignore the warning,and select 'continue'.
If you have any question,please mail to me.

LOL....


On a side note, what the hell does sOnIc have against beer!? Is there nothing sacred anymore?

[sumdumguy]

here.. let a little social engineering help make the medicine go down.. hehe

[darkwulf888]

Hey, I've been reciving that email for about a month now...been deleting it every time...it didnt work when i tried to block the address :/


By the way what did u do to get so much info on that email...would be useful if i knew how to do that...

[lostit44]

If you want to see addresses just change your settings for email they are in the options. Good post Matty nice to see your still on the ball and not under the table.

[souleman]

MC> There is a version just like this that comes from one of the users in the senders address book. The reason you didn't know the sender is that the address was faked out of the senders outlook address book.

ie If I sent you the message, it might come from Errata, because her email is in my address book. If you didn't know her, thats one thing, but if you do, you may be more likely to open it...trust me some idiot on my network opened it (ok 2 idiots did).

Code:

Received: from hoorn.tcc.to (mail.kalinet.to [207.124.73.129]) by <removed> with SMTP

Common, put the removed part back. Please?????? Especially with the Microsoft Exchange Server :P

Oh well, guess not

[darkwulf888]

I got this msg in my email toady...im starting to get PO:W32.Klez.E is a special dangerous virus that spread through email.
Kaspersky give you the special W32.Klez.E removal tools

For more information,please visit http://www.Kaspersky.com (also an attachment)

heres a bit of more info on this msg if anyone can do something about who ever this is plz tell me....Return-Path: <jpciccone@monad.net>(i think this is faked)
Received: from thresher.prexar.com ([192.168.121.25]) by mta1.prexar.com
(InterMail vK.4.03.05.03 201-232-132-103 license 825bd1c9497ec8feaf544f28fddada32)
with ESMTP id <20020606034624.VFNQ7348.mta1@thresher.prexar.com>
for <removed>; Wed, 5 Jun 2002 23:46:24 -0400
Received: from thresher (localhost [127.0.0.1])
by thresher.prexar.com (Switch-2.2.2/Switch-2.2.0) with ESMTP id g563e1618649
for <removed>; Wed, 5 Jun 2002 23:40:01 -0400 (EDT)
Received: from Fqprbnt (arc3-55.keene.monad.net [206.231.110.55])
by smtp.mcttelecom.com (8.10.0/Nope) with SMTP id g563ZKP25078
for <removed>; Wed, 5 Jun 2002 23:35:21 -0400 (EDT)
Date: Wed, 5 Jun 2002 23:35:21 -0400 (EDT)
Message-Id: <200206060335.g563ZKP25078@smtp.mcttelecom.com>
From: MSMalnati <MSMalnati@yahoo.com>
To: removed
Subject: W32.Klez.E removal tools
MIME-Version: 1.0
X-BLTSYMAVREINSERT: vZHD2WT+ozwS3YuAbBvDgv9XwWQA
Content-Type: multipart/alternative;
boundary=VS046Wh82vl9I724n77892m