[Dshield] Question about Klez

Bob Savage bsavage at rnr-inc.com
Thu Jul 11 19:52:05 GMT 2002

Yep, we've had several very similar to that.  Opened in Outlook, no
attachment, no message.  Looks legitimate in some cases because they
often seem to come from someone known to the user.  However the subject
line is typical Klez; the Exchange email file is big enough to contain
several attachments; opened in Wordpad you can see the attachments; the
attachments' names are typical Klez; and the actual source in the header
is not what's shown in the "from" line.  We use InoculateIT from
Computer Associates and keep it up-to-date religiously.  Despite CA
claims that it will find Klez, InoculateIT didn't catch these.  Several
other Klez "cures" from big-name companies didn't find any evidence of
Klez on our systems.  I know about these emails only because I have good
users who bring me anything that looks strange.
I'm impressed that Norton caught it for you.  I read in PC Mag that Klez
is so tough that the anti-virus companies have thrown up their hands
over it, and in some cases have labelled it "benign" only because it
doesn't seem to destroy files.
I think we avoided infection partly because of good users, and partly
because we've got Windows, Exchange, and Outlook screwed down so tight
that our systems are not allowing any executable contained in an email
to run or even be seen.  Maybe you were saved the same way.
Bob Savage
 -----Original Message-----
From: Mercy [mailto:Mercymail at mindspring.com]
Sent: Thursday, July 11, 2002 1:17 PM
To: DS mailing list
Subject: [Dshield] Question about Klez

I received an email today wich did not contain an attachment.  My mail
program opens up the mail on the bottom of the list first, and when it
did that, my norton poped up saying that the email contained a file
named unknown093e.data, and that it was Klez.
I just did a full system scan last night on my computer.  Nothing was
How could I have gotten Klez from her without an attachment?  

Also, it was a legitimate email, not one that would have been
automatically sent by the virus. 
Please educate me.  

Thank you.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dshield.org/pipermail/list/attachments/20020711/503b9647/attachment.htm

More information about the list mailing list