[Dshield] RE:Question about Klez
bsavage at rnr-inc.com
Mon Jul 15 13:21:42 GMT 2002
Thanks, James. This is one of the more informative and helpful posts
I've seen on this board.
From: James C. Slora, Jr. [mailto:Jim.Slora at phra.com]
Sent: Friday, July 12, 2002 5:52 PM
To: list at dshield.org
Cc: Mercymail at mindspring.com
Subject: [Dshield] RE:Question about Klez
"Mercy" wrote on Thu, 11 Jul 2002 14:16:53 -0400:
>I received an email today wich did not contain an attachment. My mail
>program opens up the mail on the bottom of the list first, and when it
>did that, my norton poped up saying that the email contained a file
>named unknown093e.data, and that it was Klez.
Your system probably needs to have MS02-027 applied. Outlook or Outlook
Express should have stopped execution of Klez before Norton had a chance
scan it when you looked at the message. In my experience you should get
least two prompts before Norton gets to detect the virus.
>I just did a full system scan last night on my computer. Nothing was
Norton AntiVirus will find most (but not all) variations of Klez as they
arrive in your email if you are using Outlook. If you use Outlook
Norton does not scan for viruses until you open the message and save the
infected attachment or open it. Klez sometimes uses a trick called an
"iframe exploit" to cause the attachment to open itself without your
intervention as soon as you preview the message. In this case, Norton
not catch the virus until it attempts to perform certain tasks such as
a file on your computer - thus sometimes Norton will alert you to two
infected files when only one arrived in your message.
Infected messages sitting in your Inbox will not generally be detected
anti-virus programs. They generally either catch the infections during
delivery or when you open the message. Some variants of Klez easily
the scanning that occurs during delivery, because they are not really
>How could I have gotten Klez from her without an attachment?
Klez and some other worms can sometimes arrive as embedded content that
not technically an attachment. They use tricks in the way that they are
stored inside the mail message to avoid detection by anti-virus and mail
Embedded content is really a superset of all attachments and inline
It can be regular MIME or UUencoded content. Embedded just means that
content is actually transmmitted with the original message. Attachments
inline attachments are varieties of embedded content.
Some examples of embedded content:
Attachment - message listing shows an attachment and message preview
Inline Attachment - message listing shows an attachment, but message
shows none because the content is displayed within the HTML of the mail
Embedded content (generic), as used by Klez - Outlook will show no
indication of the existence of the content, but Outlook Express will
attachment icon for it:
"Content-ID: <(a unique alphanumeric identifier)>"
Example of One Type of Klez Message - Embedded Content (Not Attachment)
;;; The beginning of the message, just after the mail headers
;;; The text portion of the worm's message (blank in this case)
;;; Then an IFRAME to help the worm bypass auto-execute prevention in
;;; moderately patched Outlook, Outlook Express, and Eudora.
<iframe src=3Dcid:L3dzGTvPf47B9zv height=3D0 width=3D0>
;;; This next part identifies the content that will be placed in the
;;; It is this content declaration that makes the worm generic "embedded
content" instead of an attachment.
name=Nl.scr ;;;(This is where your "unknown093e.data" might be
;;; then the worm begins, MIMEbase64-encoded)
Example of a Hybris-Infected Message - Standard Attachment:
Compare against Hybris, which uses a plain vanilla attachment to infect
From: Hahaha <hahaha at sexyfun.net>
Subject: Snowhite and the Seven Dwarfs - The REAL story!
;;; Declaration that there is mixed content, including inline or regular
Content-Type: multipart/mixed; boundary="--VE56NG9E3CL2R"
Content-Type: text/plain; charset="us-ascii"
;;; The text portion of the worm's message (omitted here)
;;; Then the attachment declaration
Content-Type: application/octet-stream; name="midgets.scr"
Content-Disposition: attachment; filename="midgets.scr"
;;; then the worm begins, MIMEbase64-encoded)
>Also, it was a legitimate email, not one that would have been
>automatically sent by the virus.
Klez uses random content for its message, and can attach non-viral files
from the sender's system in addition to the virus.
Klez can send some very legitimate-looking email messages on its own.
copies of Klez that were infected with other viruses have arrived on my
network. When one virus infects another, some strange things can happen.
There are a lot of other possibilities - definitely get your contact to
check their PC out thoroughly.
Remember that Klez often fakes the sender's address. The "Return-to"
in the message header often indicates the true source.
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
More information about the list