hwg-techniques archives Jun 2002 new search results previous next

Re: "Undelivered Mail..." - Klez virus

by "Angel One" <angelone(at)angelonearth.net>

 Date:  Sat, 8 Jun 2002 20:55:51 -0400
 To:  "HWG list" <hwg-techniques(at)hwg.org>
 References:  o4u7d1
  todo: View Thread, Original 
    Hi All,
    I had it! Don't ask me how, as I turned off the preview in outlook
express *months* ago for that reason. I don't open attachments, even from
known sources, without scanning them first (& haven't opened *any* exe's).
    I first tried to wipe, then delete the two files (found in the
C:/_RESTORE folder) after InoculateIt found them, with no *apparent* luck.
After downloading the Klez fix, checking & running it, I got "Neither
W32/Klez.gen@mm nor W32.ElKern.gen were found on your computer".  I
re-checked with InoculateIt & it's gone now.
    I do have two questions: Can I now turn system restore back on?  Is
there a quick way to send an e-mail to everyone in my outlook express
address book?
    Thanks,
    ~ Paul


----- Original Message -----
From: "Mike" <ironmike(at)inav.net>
To: <hwg-techniques(at)hwg.org>
Sent: Friday, June 07, 2002 8:26 PM
Subject: "Undelivered Mail..."


> That's KLEZ!!
>
> Klez is always an email attachment. When opened the worm does its dirty
> little thing and replicates itself randomly throughout your system,
changes
> its name and
> tries to send out new replicants to everyone on your email list everytime
> your
> email system loads. It isn't particularly dangerous, but is HORRIBLY
> inconvenient. It even spoofs those "undeliverable...." email notices.
>
> It may start Windows services and emulate active Windows processes. All
> these must be killed to rid your computer of the infection. Klez-infected
> files must be deleted or disinfected, or the worm just keeps on
replicating!
>
> Older ver. (5.0?) may launch the worm when the email is opened -- even if
> the attachment is not opened. To prevent this either upgrade to newer,
more
> secure browsers or install the latest service packs for your browser.
>
> Read this April article from Wired News to find out more about Klez:
>
> http://www.wired.com/news/technology/0,1282,52055,00.html
>
> To get rid of the pest from your computer, visit:
>
>  ****
>
http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.removal.too
> l.html   ****
>
> (That is one line with no breaks) Follow the instructions EXACTLY and you
> can
> disinfect your system. (especially note that the klez-killer must be run
> from the desktop.) Then you can notify **everyone** on your mailing lists
of
> the possibility that they have the virus and let them know how to
disinfect
> their systems. Then they need to let everyone on their mailing lists....ad
> nauseum.
>
> There are other anti-klez sites but I like Symantec the best because of
its
> detailed instructions.
>
> I receive emails with this pest about half a dozen times a week, all
because
> my daughter and her husband joined a joke-of-the-day chain letter system
> that is now infected.
>
> What we need is a national "Knock out Klez" day where all computer users
in
> this country spends some time disinfecting their computers. Then
everything
> will be hunky-dorey until the first overseas email the next day. Oh,
> well....
>
> EVERYONE READING THIS MESSAGE SHOULD CHECK FOR KLEZ TODAY -- RIGHT NOW !!!
>
>
> ----- Original Message -----
> From: "Bob Unger" <rbu(at)cirex.net>
> To: <hwg-techniques(at)hwg.org>
> Sent: Friday, June 07, 2002 4:10 PM
> Subject: "Undelivered Mail..." has me pulling my hair out!
>
>
> > For the last few weeks I have been bombarded by "Undelivered Mail
Returned
> > to Sender" messages.  I get around 20 to 30 a day saying it's returned
to
> > me because it's infected with Klez - or the recipient doesn't accept
> > attachments, etc.... all kinds of reasons.  But most of the
"undelivered"
> > address's are not in my address book (I use Eudora) and all the messages
> > have my address in the "from" field.
> >
> > I've scanned my disk with Norton and it comes up clean - yet I am
getting
> > all these "returned mails" with my address on it.
> >
> > How does Klez work?  Is Klez grabbing my address from other peoples
> address
> > books that are infected with the virus - and then I get the returned
> > mail?  Is there ANYTHING I can do to stop getting all these "returned"
> > messages???????
> >
> > The kicker to all this is, is that it's using my brand new email address
> > that I've had for just about a
> > month now.  It's driving me insane!
> >
> > Bob Unger
> > rbu(at)cirex.net
>
>

HWG hwg-techniques mailing list archives, maintained by Webmasters @ IWA