 |
|
 |
| Tuesday, February 07, 2012
|
| Register Login |
 |
|
|
|
|
Users currently online
|
 |
|
|
|
 |
Membership: |
 |
Latest:
kevin |
 |
New Today:
0 |
 |
New Yesterday:
0 |
 |
Overall:
56 |
 |
People Online: |
 |
Visitors:
3 |
 |
Members:
0 |
 |
Total:
3 |
Online Now:
|
|
|
|
|
|
|
|
|
|
Welcome to the Viruswarning forums. All your original content has been ported to the new forums as well as new content and additional opportunities to interact with the authors of Viruswarn.com. You can always access old content at www.leedrake.com/forum . You may find some formatting was lost in the conversion and the older versions of the posts to be more readable....
But at least it's all here.
Enjoy!
|
|
|
|
|
|
Viruswarn Forums
|
|
|
|
|
| You are not authorized to post a reply.
|
|
| Author |
Messages |
|
Lee Drake
Posts:238
 |
| 06/24/2002 11:29 AM |
|
This is an update note to give consumers more information about KLEZ. In many ways, KLEZ is a brand new type of virus, in that it combines a lot of different modes to try to get you to open the document to be infected, and it has a variety of new ways to "hide" itself so that it's harder to track down who actually HAS the virus. I'll go over some of these, because we've received a large number of calls and emails from people regarding this virus:
Virus content messages:
- This virus, unlike many past viruses, has MULTIPLE MESSAGE TYPES. The virus attempts to disguise itself as a game, a cure for itself, an update from Microsoft, a "bounce" message from the postmaster, and other more traditional messages. YOU CANNOT RELIABLY identify this virus by it's message.
- This virus, unlike many past viruses, has MULTIPLE EXTENSION TYPES. The virus disguises itself as .bat, .exe, .pif or .scr files. As a result YOU CANNOT RELIABLY identify this virus by it's extension type (though you should never open an emailed file with any of those extensions).
- This virus, like many past viruses, has MULTIPLE SUBJECT HEADERS. The viruse uses different subject headers from a randomized list, so YOU CANNOT RELIABLY indentify this virus by it's subject header.
- This virus, unlike many other viruses, will AUTO EXECUTE if you haven't applied the proper security patches to Outlook or Outlook express. Thus you DO NOT HAVE TO OPEN THE ATTACHMENT to get infected if the virus gets through your anti-virus shields, your security level is set to low and you do not have the proper updates. It's essential that you patch your internet explorer and OS up to date if using either Outlook or Outlook express on your box.
- The only way to RELIABLY identify and squash this virus is by having an active Antivirus, with up to date definitions, that scans all incoming and outgoing mail. That is the ONLY way, and the best way.
Email return-address spoofing:
- This virus contains it's own SMTP client. Thus you will NOT see sent mail messages accumulating in your "sent mail" box if you're infected. At best you'll notice things slow down on the internet.
This virus grabs it's email addresses from Outlook's contact list, Outlook Express's Personal Address book, AOL's address book, web pages in your web cache (in other words is scans the pages for mailto tags). So an email address that Klez sends to (or from-see below) doesn't have to be in your address book.
- This virus, using it's SMTP client, will spoof the "From mail" address. What this means is that the From address isn't a reliable way of tracking who the email comes from. Klez, in a Klez infected computer, will search the contact list, PAB and internet explorer cache for TWO email addresses - one to send the message TO and one to send the message FROM. Thus, even if you don't HAVE Klez - someone you know may get an email that appears to be FROM you (but really isn't) with the virus attached. This has the net effect of confusing the process of tracking down who has the virus. If you get a message from someone saying - "Your computer is infected - it sent me a virus" - that may not be the case. If you get a clean scan and you're not observing any problems with your virus update procedure you are probably the victim of a "From address spoof". You can point the accuser at this web page which explains what this is in more detailhttp://securityresponse.symantec.com/avcenter/venc/data/w32.klez.gen@mm.html
- You can sometimes track down the actual culprit by looking at the full headers of the original message. AOL for instance puts a header in x-apparently-from: that indicates the actual email address of the sender. Other SMTP servers may or may not provide such information. If you're getting a lot of KLEZ you might want to try to track down which of your friends has it and notify them. The headers are visible from the View/Options menu item in Outlook. Usually the first SMTP server indicated is the one the virus originated from. Look carefully at information on the sender there.
Faking administrative messages
- Another way this virus spreads is by pretending to be a bounce message. Normally if you send out an email to someone, and their server is down, you'll get a message saying that the message bounced. The actual message you sent is attached to the bounce message as an attachment - and the natural tendency is to open it to see what it was you can't remember sending. Unfortunately what's attached to these fake "bounce" messages is the virus, and when you open it you get infected.
- Spurious bounce messages don't mean you have the virus (someone else is sending them to you).
- Spurious bounce messages don't mean your machine is sending out the virus (the bounce is sent to you from an infected machine, it's not an ACTUAL bounce).
- Be careful when looking at a bounce message, particularly if you don't remember sending the message. Double check the file extension.
Faking a "Cure"
- This message sends itself out, with a very official looking body, to tell you that it thinks your machine is infected, and here's a program to clean it. Unfortunately the program to "clean it" is the virus itself, and you're probably NOT already infected.
Only run cure or virus cleaning programs that you've downloaded directly from Symantec, McAfee, Trend Micro or some reliable source - don't ever run ANY program that someone just sends you in email.
Pretending to be a "game"
- This virus also pretends to be a game that another person is sending you. A game is an executable. Executables carry bad things. Don't open them
All in all, this virus has become quite pervasive because it uses a variety of methods to try to infect your machine (what the virus pundits call a "blended threat"). The VERY BEST thing you can do to protect yourself is to have adequate virus scanning and adequate email virus protection on EVERY SINGLE MACHINE that you use. The next thing you can do is to EDUCATE YOURSELF. If you're a system admin, or even a single users, look at the list above and learn to recognize the pattern when the virus comes in - don't just jump to the conclusion that the person in the from address sent it, nor that you're infected when you're not. The final thing you can do is to spend a little time at the Windows Update site and be SURE your system is up to date and patched up.
This concludes this viruswarning notice.
Lee Drake, Moderator |
|
|
|
|
|
| You are not authorized to post a reply. |
|
|
|
ActiveForums 3.6
|
|
|
|
|
|
|
|