[Dshield] Question about Klez

Mercy Mercymail at mindspring.com
Fri Jul 12 06:08:25 GMT 2002


I believe it was someone on one of my email lists that is contaminated.  The From line was not her name, but the email it came from was her.  I tried to notify her, and I hope she can get it cleaned up.

I did run the "FixKlez" tool that symantec has on their web site, and I am clean.

I am thankful that NAV caught it.

Mercy
  ----- Original Message ----- 
  From: Bob Savage 
  To: list at dshield.org 
  Sent: Thursday, July 11, 2002 3:52 PM
  Subject: RE: [Dshield] Question about Klez


  Yep, we've had several very similar to that.  Opened in Outlook, no attachment, no message.  Looks legitimate in some cases because they often seem to come from someone known to the user.  However the subject line is typical Klez; the Exchange email file is big enough to contain several attachments; opened in Wordpad you can see the attachments; the attachments' names are typical Klez; and the actual source in the header is not what's shown in the "from" line.  We use InoculateIT from Computer Associates and keep it up-to-date religiously.  Despite CA claims that it will find Klez, InoculateIT didn't catch these.  Several other Klez "cures" from big-name companies didn't find any evidence of Klez on our systems.  I know about these emails only because I have good users who bring me anything that looks strange.

  I'm impressed that Norton caught it for you.  I read in PC Mag that Klez is so tough that the anti-virus companies have thrown up their hands over it, and in some cases have labelled it "benign" only because it doesn't seem to destroy files.

  I think we avoided infection partly because of good users, and partly because we've got Windows, Exchange, and Outlook screwed down so tight that our systems are not allowing any executable contained in an email to run or even be seen.  Maybe you were saved the same way.

  Bob Savage


   -----Original Message-----
  From: Mercy [mailto:Mercymail at mindspring.com]
  Sent: Thursday, July 11, 2002 1:17 PM
  To: DS mailing list
  Subject: [Dshield] Question about Klez


    I received an email today wich did not contain an attachment.  My mail program opens up the mail on the bottom of the list first, and when it did that, my norton poped up saying that the email contained a file named unknown093e.data, and that it was Klez.

    I just did a full system scan last night on my computer.  Nothing was found.

    How could I have gotten Klez from her without an attachment?  

    Also, it was a legitimate email, not one that would have been automatically sent by the virus. 

    Please educate me.  

    Thank you.

    Mercy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dshield.org/pipermail/list/attachments/20020712/e485f645/attachment.htm


More information about the list mailing list