RE: "Undelivered Mail..." - Klez virus

That is why when I am on a windows machine I still use Eudora for mail.
Scripts that send bad news your way don't execute.

At 11:13 PM -0400 6/8/02, Ginger Kaderabek wrote:
>Some people seem to not quite grasp the Klez worm's mechanism, which is a
>particularly annoying mechanism because it leads to a lot of erroneous
>finger-pointing.  As I understand it, in an infected computer, the worm
>randomly chooses e-mail addresses for BOTH "From" and "To" from the Address
>Book, then randomly chooses a subject line from an existing e-mail.
>Therefore, a person may get an infected e-mail that appears to be from you.
>It's not. It's from someone who has both that person's e-mail address and
>your address in his Address Book.
>
>I too have gotten quite a few "undelivered mail" e-mails, which I presume
>happens when the worm program picks an outdated e-mail address to put in the
>"To" line and my e-mail address to put in the "From" line.
>
>Anyone have any suggestions about what we should do to the person who
>developed this one, if he's ever found?  Drawing and quartering?  Tarring
>and feathering?  Boiling oil?  Painful dental work? An 8088 processor?
>
>Ginger
>
>
>-----Original Message-----
>From: owner-hwg-techniques(at)hwg.org
>[mailto:owner-hwg-techniques(at)hwg.org]On Behalf Of Angel One
>Sent: Saturday, June 08, 2002 8:56 PM
>To: HWG list
>Subject: Re: "Undelivered Mail..." - Klez virus
>
>
>    Hi All,
>    I had it! Don't ask me how, as I turned off the preview in outlook
>express *months* ago for that reason. I don't open attachments, even from
>known sources, without scanning them first (& haven't opened *any* exe's).
>    I first tried to wipe, then delete the two files (found in the
>C:/_RESTORE folder) after InoculateIt found them, with no *apparent* luck.
>After downloading the Klez fix, checking & running it, I got "Neither
>W32/Klez.gen@mm nor W32.ElKern.gen were found on your computer".  I
>re-checked with InoculateIt & it's gone now.
>    I do have two questions: Can I now turn system restore back on?  Is
>there a quick way to send an e-mail to everyone in my outlook express
>address book?
>    Thanks,
>    ~ Paul
>
>
>----- Original Message -----
>From: "Mike" <ironmike(at)inav.net>
>To: <hwg-techniques(at)hwg.org>
>Sent: Friday, June 07, 2002 8:26 PM
>Subject: "Undelivered Mail..."
>
>
>> That's KLEZ!!
>>
>> Klez is always an email attachment. When opened the worm does its dirty
>> little thing and replicates itself randomly throughout your system,
>changes
>> its name and
>> tries to send out new replicants to everyone on your email list everytime
>> your
>> email system loads. It isn't particularly dangerous, but is HORRIBLY
>> inconvenient. It even spoofs those "undeliverable...." email notices.
>>
>> It may start Windows services and emulate active Windows processes. All
>> these must be killed to rid your computer of the infection. Klez-infected
>> files must be deleted or disinfected, or the worm just keeps on
>replicating!
>>
>> Older ver. (5.0?) may launch the worm when the email is opened -- even if
>> the attachment is not opened. To prevent this either upgrade to newer,
>more
>> secure browsers or install the latest service packs for your browser.
>>
>> Read this April article from Wired News to find out more about Klez:
>>
>> http://www.wired.com/news/technology/0,1282,52055,00.html
>>
>> To get rid of the pest from your computer, visit:
>>
>>  ****
>>
>http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.removal.too
>> l.html   ****
>>
>> (That is one line with no breaks) Follow the instructions EXACTLY and you
>> can
>> disinfect your system. (especially note that the klez-killer must be run
>> from the desktop.) Then you can notify **everyone** on your mailing lists
>of
>> the possibility that they have the virus and let them know how to
>disinfect
>> their systems. Then they need to let everyone on their mailing lists....ad
>> nauseum.
>>
>> There are other anti-klez sites but I like Symantec the best because of
>its
>> detailed instructions.
>>
>> I receive emails with this pest about half a dozen times a week, all
>because
>> my daughter and her husband joined a joke-of-the-day chain letter system
>> that is now infected.
>>
>> What we need is a national "Knock out Klez" day where all computer users
>in
>> this country spends some time disinfecting their computers. Then
>everything
>> will be hunky-dorey until the first overseas email the next day. Oh,
>> well....
>>
>> EVERYONE READING THIS MESSAGE SHOULD CHECK FOR KLEZ TODAY -- RIGHT NOW !!!
>>
>>
>> ----- Original Message -----
>> From: "Bob Unger" <rbu(at)cirex.net>
>> To: <hwg-techniques(at)hwg.org>
>> Sent: Friday, June 07, 2002 4:10 PM
>> Subject: "Undelivered Mail..." has me pulling my hair out!
>>
>>
>> > For the last few weeks I have been bombarded by "Undelivered Mail
>Returned
>> > to Sender" messages.  I get around 20 to 30 a day saying it's returned
>to
>> > me because it's infected with Klez - or the recipient doesn't accept
>> > attachments, etc.... all kinds of reasons.  But most of the
>"undelivered"
>> > address's are not in my address book (I use Eudora) and all the messages
>> > have my address in the "from" field.
>> >
>> > I've scanned my disk with Norton and it comes up clean - yet I am
>getting
>> > all these "returned mails" with my address on it.
>> >
>> > How does Klez work?  Is Klez grabbing my address from other peoples
>> address
>> > books that are infected with the virus - and then I get the returned
>> > mail?  Is there ANYTHING I can do to stop getting all these "returned"
>> > messages???????
>> >
>> > The kicker to all this is, is that it's using my brand new email address
>> > that I've had for just about a
>> > month now.  It's driving me insane!
>> >
>> > Bob Unger
>> > rbu(at)cirex.net
>>
>>

-- 
Sincerely,
Kid Stevens


Somehow There Must Be A Way Lets Find It.
"Steve Stevens"

Only those who risk going too far, can possibly find out how far they can go.
"T. Ellis"

HWG hwg-techniques mailing list archives, maintained by Webmasters @ IWA