Re: "Undelivered Mail..."

At 08:40 PM 6/9/2002, Mike wrote:
>I'd like to make one thing clear: Klez does not always go about with the
>".exe" extension. I currently have a sample from that same son-in-law with
>".pif" and ".bat" and ".txt" extensions on the attachments. The first two
>were a dead giveaway that something was wrong because he doesn't have enough
>computer savy to use these DOS extensions.


I'm getting on average about 50 mails a day these days infected with Klez. 
I'm seeing a lot of them with .html extensions as well. Poor Norton is 
awfully overworked recently! I've taken to not opening any attachments at 
all that appear to be from the lists unless they are very clear (seems like 
the dog lists...especially the yahoo groups lists...are pretty heavily 
infected). Many list members have taken to putting things like "virus 
scanned incoming and outgoing" in the subject line, as well as specifying 
in the body of the email what the attachment is: "this is a picture of a 
Golden cross from such and such shelter". They make sure that the name of 
the attachment matches the description given...something easy to 
decipher..."goldenx.jpg".  As mentioned, the msgs in the body of emails 
with Klez tend to be pretty generic.

Of course, since Klez replicates subject lines of emails already in the 
infected person's box, eventually we'll see infected mail with subject 
lines saying they've been scanned. Thus making sure the attachment matches 
the description, as well as being something you are expecting to receive.

Jeniffer

HWG hwg-techniques mailing list archives, maintained by Webmasters @ IWA