[Dshield] Question about Klez

Will Boege will_boege at i-tech.com
Fri Jul 12 15:59:16 GMT 2002


> I'm impressed that Norton caught it for you.
> I read in PC Mag that Klez is so tough that the anti-virus companies 
> have thrown up their hands over it, and in some cases have 
> labelled it "benign" only because it doesn't seem to destroy files.

Hmm.. I have had no problem whatsoever detecting Klez.  I use Sophos
SWEEP on the mail-server side and Trend Officescan on the desktops.  You
might want to verify that you have to proper defs. installed.  You also
might want to make sure that the Innoculate-IT on-access scanner is
checking an accurate list of extensions.

If you are blocking executables as you say, how did the Klez get through
your mail server?  Make sure you block, not just .exe's but .pif, .scr,
.vbs, .vbe, .wsh, .com, .bat, .shb, .reg, .lnk

-----Original Message-----
From: list-admin at dshield.org [mailto:list-admin at dshield.org] On Behalf
Of Bob Savage
Sent: Thursday, July 11, 2002 2:52 PM
To: list at dshield.org
Subject: RE: [Dshield] Question about Klez


Yep, we've had several very similar to that.  Opened in Outlook, no
attachment, no message.  Looks legitimate in some cases because they
often seem to come from someone known to the user.  However the subject
line is typical Klez; the Exchange email file is big enough to contain
several attachments; opened in Wordpad you can see the attachments; the
attachments' names are typical Klez; and the actual source in the header
is not what's shown in the "from" line.  We use InoculateIT from
Computer Associates and keep it up-to-date religiously.  Despite CA
claims that it will find Klez, InoculateIT didn't catch these.  Several
other Klez "cures" from big-name companies didn't find any evidence of
Klez on our systems.  I know about these emails only because I have good
users who bring me anything that looks strange.

I'm impressed that Norton caught it for you.  I read in PC Mag that Klez
is so tough that the anti-virus companies have thrown up their hands
over it, and in some cases have labelled it "benign" only because it
doesn't seem to destroy files.

I think we avoided infection partly because of good users, and partly
because we've got Windows, Exchange, and Outlook screwed down so tight
that our systems are not allowing any executable contained in an email
to run or even be seen.  Maybe you were saved the same way.

Bob Savage


 -----Original Message-----
From: Mercy [mailto:Mercymail at mindspring.com]
Sent: Thursday, July 11, 2002 1:17 PM
To: DS mailing list
Subject: [Dshield] Question about Klez


I received an email today wich did not contain an attachment.  My mail
program opens up the mail on the bottom of the list first, and when it
did that, my norton poped up saying that the email contained a file
named unknown093e.data, and that it was Klez.

I just did a full system scan last night on my computer.  Nothing was
found.

How could I have gotten Klez from her without an attachment?  

Also, it was a legitimate email, not one that would have been
automatically sent by the virus. 

Please educate me.  

Thank you.

Mercy




More information about the list mailing list