Page 2 of 2 FirstFirst 12
Results 11 to 19 of 19

Thread: Virus that uses random subject:?

  1. #11
    Here is what I found:

    Mail Subject



    Variants .A, .C, and .D compose the email subject line from a list in the worm's body. This list is the same for each of these three variants.

    Variants .E and .F compose the email subject line from a list in the worm's body. This list is the same for variants .E and .F.

    For variants .G, .H, and .I, the subject of the email is composed in a complex manner, but also taken from a list in the worm's body.

    ccKid

  2. #12
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    Try Hybris also.. I think varient F..

    I am curious as to the source of your information.. Just haven't read that.. yet..

    every Klez email I have seen has different subjects, clients have reported that the returned infected mails have subjects from their email history..

    Get ur client to Check for a running prog on their machine.. hit the CTL-ALT-DEL keys and see if

    Wink(and 3 random letters, total name length 7 letters).. this would indicate Klez..

    Check out these sites.. for more info

    http://securityresponse.symantec.com/
    http://www.pandasoftware.com
    http://hoaxinfo.com/
    http://www.commandcom.com/virus/index.cfm
    http://www.f-prot.com/f-prot/virusinfo/
    http://vil.mcafee.com/default.asp?


    I'm sure others will have their favourites ...

    Cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  3. #13
    Senior Member
    Join Date
    Apr 2002
    Posts
    380
    http://www.europe.f-secure.com/v-descs/klez.shtml

    I didn't see what you are reffering to in that page but are you certain your client wasn't wrong and said they used the email from his address book instead of the subject of the old email? I would double check on that especially if the customer isn't much computer litterate...
    [shadow]Scorp666, the Infamous Orgasmatron[/shadow]

  4. #14
    Senior Member
    Join Date
    Apr 2002
    Posts
    380

    Smile I think I found it!

    Look at the following :

    -- Update 3/4/2002 --
    Due to a slow, but steady, increase in prevalence over the past few weeks, AVERT has raised the risk assessment of this threat to MEDIUM.
    This W32/Klez variant has the ability to spoof the email FROM: field. The senders address used by the virus, may be one that was found on the infected user's system. Thus, it may appear that you have received this virus from one person, when it was actually sent from a different user's system. Viewing the entire email header will display the actual senders address.

    This worm makes use of Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability in Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2)

    This worm arrives in an Email message with a subject and body randomly composed from a rather long pool of strings that the virus carries inside itself

    *****(the virus can also add other strings)*****

    It can add other strings! So It can grab strings from emails and use them as the new subject...
    [shadow]Scorp666, the Infamous Orgasmatron[/shadow]

  5. #15
    Und3rTak3r - I found the info from TrendMicro's website, I ran a search on google. I will check out the specs on Hybris.

    Scorp - The client is extremely deficient when it comes to using computers, lol, and I went into solving the problem knowing that. Where did you find the source of your info, I would like to find posted info that I can send the client to clarify what virus has infected her system.

    ccKid

  6. #16

  7. #17
    Senior Member
    Join Date
    May 2002
    Posts
    236
    I have been getting every single e-mail virus there is for the past week, 3/4 a day.
    Thing is I run Linux, some ppl at work have Norton and it blocks all viruses right away.

  8. #18
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    How is it going ccKid.. you making progress with your client?

    Scorp thanks for the extra links..


    Cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  9. #19
    Nothing yet, Und3erTak3r, the client can't get online now to update her AV software. Of course she didn't do what I had previously told her to do..........Update the AV dat files !!! Know she's in a pickle, LOL. I'll keep you updated and thanks everyone for all info and guidance.

    ccKid

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •