Off topic but important. KLEZ is loose. - Moderated Discussion Areas

  ContinuousWave
  Whaler
  Moderated Discussion Areas
  ContinuousWave: The Whaler GAM or General Area
  Off topic but important. KLEZ is loose.

search | FAQ | profile | register | author help

Author Topic:   Off topic but important. KLEZ is loose.

JBCornwell posted 01-05-2003 09:15 PM ET (US)
I have gotten about 100 Emails in the past week that:
1. Have an unfamiliar boating or fishing related return address (some using screen names of members here, but not their correct Email addresses).
2. Contain no text. Only a ZIP file.
3. The Zip file contains a version of KLEZ virus.
Please delete without opening.
Red sky at night. . .
JB
triblet posted 01-05-2003 09:25 PM ET (US)
Klez has a life of it's own. It's like the
Energizer Bunny -- it keeps going and going
and going and ... One would think that a
virus which is several months old, and for
which the fix was available from MS BEFORE
the virus appeared in the wild, would die out
quickly. Klez hasn't.
One other attribute of Klez: the e-mail files
are between 110K and 150K.
Rule one of safe netting still applies: NEVER
EVER open an e-mail attachment unless you
what it is, who sent it, and, most
importantly, WHY they sent it. Just because
something APPEARS to come from your best
friend doesn't mean it really did. When in
doubt, don't open it until you ask them about
it.
Note: the party who APPEARS to have sent the
Klez rarely if ever IS the one who sent it.
The real sender can be tracked down by IP
address in the headers.

Chuck
waterguy posted 01-05-2003 10:41 PM ET (US)
Maybe an argument for the people that do not want to post their e-mail address...
triblet posted 01-05-2003 11:31 PM ET (US)
Klez finds e-mail addresses by searching the
Windows (Outlook) address book. The fact that
an e-mail address appears here makes it no more
susceptible to RECEIVING Klez UNLESS someone
uses that address to add it to their address
book, and then infected. Then you get sent
a copy of Klez. With reasonable safe
internetting, even then you won't get
infected. I've received about 540 copies of Klez.
Haven't gotten infected yet.

The best way to prevent getting Klez is to
use the Windows Update icon, and keep
downloading and installing critical fixes
until there aren't any more. With the fixes
installed you won't get Klez unless you
deliberately open the attachement.
Chuck
whalersman posted 01-05-2003 11:39 PM ET (US)
You can also buy a Macintosh...
I open up the Klez Virus whenever I can and it has never affected my Macintsoh.
I love Macs as you can see from my Profile....
Dr T posted 01-05-2003 11:55 PM ET (US)
JB,
I sent you a real Email to the address I've used in the past that touches obliquely on this topic. There should be no attachment.
tds
philmoses posted 01-06-2003 08:09 PM ET (US)
In response to triblet.... HUH??
Im sorry to inform you but you could not be more WRONG in the following statement...
<begin statement>
Klez finds e-mail addresses by searching the
Windows (Outlook) address book. The fact that
an e-mail address appears here makes it no more
susceptible to RECEIVING Klez UNLESS someone
uses that address to add it to their address
book, and then infected.
<End statement>
One of the very interesting things about KLEZ was that it had/has the ability to retrieve email addresses from a machines webcache, meaning you need not have any addresses in your windows address book, if you visited a page, there was an email address on the page and its stored in your cache, well then you can receive KLEZ.
Yes anyone with a profile here, with an email on the profile, which is stored in someones cache (the someone of course being an infected Windows machine) is a candidate to be a recipient of a KLEZ email.
Bottom line is you need not be in anyones addres book to recieve KLEZ, all you need if your email address somewhere on the web and that page stored in an infected machines webcache.

I hate to sound harsh on you for this one, but misinformation is one of the reasons why viruses spread like they do. If I was misinforming the general public in the same manner, I would expect to be corrected.
Not to make matter worse but...... forging/spoofing IP addresses is also a relatively easy task, making email *close* to not being trackable.
No hard feelings, Im just a stickler about viruses and security.
Feel free to correct me when I am wrong.
Phil
kgregg posted 01-06-2003 09:29 PM ET (US)
Phil-
I had not heard that about the Klez virus so I won't debate you on it.
However, Outlook and Outlook Express users are HUGE targets for the people that write viruses (maybe not the Klez virus though) because of the non existant security in these two programs. The Outlook address book is effectively wide open to anyone wanting to write a virus. The virus most often sends itself to email addresses in an Outlook address book. Please keep your anti virus software up to date and consider using an email application other than Outlook. (I use Eudora) My $0.02, Kevin

jimh posted 01-06-2003 09:30 PM ET (US)
There is a new PC virus every day.
No classic Boston Whaler has ever been harmed by them.
philmoses posted 01-06-2003 10:04 PM ET (US)
Kgregg,
I agree with you completely about the address book in Windows, I just wanted to make sure it is known that the address book is not the only spreading point, that an email address here can make you more susceptible than if your in someones Windows Adress book.
Anyway, happy boating.
Phil
Tom W Clark posted 01-06-2003 10:06 PM ET (US)
KLEZ? Virus? What are those?
triblet posted 01-06-2003 11:56 PM ET (US)
Phil, from the Symantec (i.e., Norton
Anit-Virus) Virus Encyclopedia:

"the worm searches the Windows address book,
which is used by Microsoft Outlook, for email
addresses. The worm sends an email message to
these addresses with itself as an attachment."
See http://www.symantec.com/avcenter/vinfodb.html
and do a search on Klez.
It gets 24 hits, mostly on variants of Klez.
Not one contains the word "cache". So I
think you are wrong about Klez using the
web cache. Care to post a URL to a reputable
anti virus company that says it does?
Further, even it if it does, our email
addresses aren't on the webpages. There's
a link to a page that has the e-mail
address. So unless the infected party has
recently used that link to send you an
e-mail, a cache-searching virus wouldn't
find you.
Finally, the way Klez uses the address book
is part of the reason it's had such a long
life. Let's say Bob gets infect, and
has Carol, Ted, and Alice in his address
book. Klez will randomly select one of the
those three (C, T, and A) and use that to
send itself to the others. Let's assume Klez
picks Ted. Carol and Alice will get e-mails
that appear to come from Ted. Since there's
a reasonable chance Carol and Alice know Ted,
the mail seems legit. Further, there's
little trace that Bob is infected so it's
hard to ring Bob up and tell him he's
got a sick computer. (In fact,
the infected machine's IP address is in the
last Received: header, but you gotta be a
geek or nerd to be able to use that).

Chuck
jimh posted 01-07-2003 12:55 AM ET (US)
I try to avoid having any direct "mailto:" links to users just to keep the viral spread to a minimum.
Taylor posted 01-07-2003 06:40 PM ET (US)
Klez is back? Did it ever really go away?
I wonder if GPS/FF combo units are susceptible. Can viruses be downloaded from GPS satellites? Perhaps the fish can figure out how to send a pattern that locks the fishfinder. Is there a piscine electronic warfare department? Are mercury motors more likely to be infected by viruses then Johnson's? What happens to a Brunswick six axis milling machines if it is attacked by a virus? And what is the result!?
I think these and other related topics need to be explored much more fully.
philmoses posted 01-07-2003 08:35 PM ET (US)
Triblet,

You want a URL, you get a URL...
http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.h@mm.html
MOST importantly read the following...
<snip>
This worm searches the Windows address book, the ICQ database, and local files for email addresses.
<end snip>
THEN IT SPECIFIES THE FILES (the "local" files meantioned on the webpage)...
The worm will search files that have the following extensions for email addresses:
mp8
.exe
.scr
.pif
.bat
.txt
.htm
.html
.wab
.asp
.doc
.rtf
.xls
.jpg
.cpp
.pas
.mpg
.mpeg
.bak
.mp3
.pdf

Its as plain as day in black and white there ( google for KLEZ and webcache, youll find a lot of additional references.)
As far as the infected machine being the last IP address, thats a joke, as I said, spoofing an IP address and forging an email to seem as though it came from the last IP in a header is a realtively easy task.
Your email address is on a webpage here on continuouswave, which means it can be in someones cache...
http://continuouswave.com/cgi-bin/ubbmisc.cgiaction=getbio&UserName=triblet

There is plenty of free reading pertaining to these and many other security topics at the SANS readering room (rr.sans.org), also CMU's CERT has a ton of info.
Usually if I keep my mouth shut on issues, but this was another case, hopefully I did not offend anyone.
Anyway, Ive gone beyond my time for *free advice*, further information on this topic needs to charged for.
Phil

triblet posted 01-08-2003 10:11 AM ET (US)
OK, it does search the cache. It's far more
likely to find stuff in the address book,
esp. when some people run with an option that
puts From: of every e-mail they receive in
their address book.
In the case of Klez, the infected machine IS
the one in the last Received: header. Yes,
they could spoof these up, but they don't.
I've successfully tracked down a couple of
Klez infected machines this way.
The web page you listed 404s, but my email
address is on:
http://continuouswave.com/cgi-bin/Ultimate.cgi?action=email&ToWhom=triblet
which I knew. As I pointed out earlier, the
only reason that page would
appear in someone cache is if they had used
it to send me an e-mail, which is unlikely.
It would not appear in the cache of someone
who was just browsing around. And JimH could
eliminate even that small chance by marking
the pages with e-mail adddresses as "do not
cache".
My advice remains free. It's probably
worth exactlyu what you pay for it. ;-)

Chuck

Hop to:

Contact Us | RETURN to ContinuousWave Top Page

Powered by: Ultimate Bulletin Board, Freeware Version 2000
Purchase our Licensed Version- which adds many more features!
© Infopop Corporation (formerly Madrona Park, Inc.), 1998 - 2000.

Author	Topic: Off topic but important. KLEZ is loose.
JBCornwell	posted 01-05-2003 09:15 PM ET (US) I have gotten about 100 Emails in the past week that: 1. Have an unfamiliar boating or fishing related return address (some using screen names of members here, but not their correct Email addresses). 2. Contain no text. Only a ZIP file. 3. The Zip file contains a version of KLEZ virus. Please delete without opening. Red sky at night. . . JB
triblet	posted 01-05-2003 09:25 PM ET (US) Klez has a life of it's own. It's like the Energizer Bunny -- it keeps going and going and going and ... One would think that a virus which is several months old, and for which the fix was available from MS BEFORE the virus appeared in the wild, would die out quickly. Klez hasn't. One other attribute of Klez: the e-mail files are between 110K and 150K. Rule one of safe netting still applies: NEVER EVER open an e-mail attachment unless you what it is, who sent it, and, most importantly, WHY they sent it. Just because something APPEARS to come from your best friend doesn't mean it really did. When in doubt, don't open it until you ask them about it. Note: the party who APPEARS to have sent the Klez rarely if ever IS the one who sent it. The real sender can be tracked down by IP address in the headers. Chuck
waterguy	posted 01-05-2003 10:41 PM ET (US) Maybe an argument for the people that do not want to post their e-mail address...
triblet	posted 01-05-2003 11:31 PM ET (US) Klez finds e-mail addresses by searching the Windows (Outlook) address book. The fact that an e-mail address appears here makes it no more susceptible to RECEIVING Klez UNLESS someone uses that address to add it to their address book, and then infected. Then you get sent a copy of Klez. With reasonable safe internetting, even then you won't get infected. I've received about 540 copies of Klez. Haven't gotten infected yet. The best way to prevent getting Klez is to use the Windows Update icon, and keep downloading and installing critical fixes until there aren't any more. With the fixes installed you won't get Klez unless you deliberately open the attachement. Chuck
whalersman	posted 01-05-2003 11:39 PM ET (US) You can also buy a Macintosh... I open up the Klez Virus whenever I can and it has never affected my Macintsoh. I love Macs as you can see from my Profile....
Dr T	posted 01-05-2003 11:55 PM ET (US) JB, I sent you a real Email to the address I've used in the past that touches obliquely on this topic. There should be no attachment. tds
philmoses	posted 01-06-2003 08:09 PM ET (US) In response to triblet.... HUH?? Im sorry to inform you but you could not be more WRONG in the following statement... <begin statement> Klez finds e-mail addresses by searching the Windows (Outlook) address book. The fact that an e-mail address appears here makes it no more susceptible to RECEIVING Klez UNLESS someone uses that address to add it to their address book, and then infected. <End statement> One of the very interesting things about KLEZ was that it had/has the ability to retrieve email addresses from a machines webcache, meaning you need not have any addresses in your windows address book, if you visited a page, there was an email address on the page and its stored in your cache, well then you can receive KLEZ. Yes anyone with a profile here, with an email on the profile, which is stored in someones cache (the someone of course being an infected Windows machine) is a candidate to be a recipient of a KLEZ email. Bottom line is you need not be in anyones addres book to recieve KLEZ, all you need if your email address somewhere on the web and that page stored in an infected machines webcache. I hate to sound harsh on you for this one, but misinformation is one of the reasons why viruses spread like they do. If I was misinforming the general public in the same manner, I would expect to be corrected. Not to make matter worse but...... forging/spoofing IP addresses is also a relatively easy task, making email close to not being trackable. No hard feelings, Im just a stickler about viruses and security. Feel free to correct me when I am wrong. Phil
kgregg	posted 01-06-2003 09:29 PM ET (US) Phil- I had not heard that about the Klez virus so I won't debate you on it. However, Outlook and Outlook Express users are HUGE targets for the people that write viruses (maybe not the Klez virus though) because of the non existant security in these two programs. The Outlook address book is effectively wide open to anyone wanting to write a virus. The virus most often sends itself to email addresses in an Outlook address book. Please keep your anti virus software up to date and consider using an email application other than Outlook. (I use Eudora) My $0.02, Kevin
jimh	posted 01-06-2003 09:30 PM ET (US) There is a new PC virus every day. No classic Boston Whaler has ever been harmed by them.
philmoses	posted 01-06-2003 10:04 PM ET (US) Kgregg, I agree with you completely about the address book in Windows, I just wanted to make sure it is known that the address book is not the only spreading point, that an email address here can make you more susceptible than if your in someones Windows Adress book. Anyway, happy boating. Phil
Tom W Clark	posted 01-06-2003 10:06 PM ET (US) KLEZ? Virus? What are those?
triblet	posted 01-06-2003 11:56 PM ET (US) Phil, from the Symantec (i.e., Norton Anit-Virus) Virus Encyclopedia: "the worm searches the Windows address book, which is used by Microsoft Outlook, for email addresses. The worm sends an email message to these addresses with itself as an attachment." See http://www.symantec.com/avcenter/vinfodb.html and do a search on Klez. It gets 24 hits, mostly on variants of Klez. Not one contains the word "cache". So I think you are wrong about Klez using the web cache. Care to post a URL to a reputable anti virus company that says it does? Further, even it if it does, our email addresses aren't on the webpages. There's a link to a page that has the e-mail address. So unless the infected party has recently used that link to send you an e-mail, a cache-searching virus wouldn't find you. Finally, the way Klez uses the address book is part of the reason it's had such a long life. Let's say Bob gets infect, and has Carol, Ted, and Alice in his address book. Klez will randomly select one of the those three (C, T, and A) and use that to send itself to the others. Let's assume Klez picks Ted. Carol and Alice will get e-mails that appear to come from Ted. Since there's a reasonable chance Carol and Alice know Ted, the mail seems legit. Further, there's little trace that Bob is infected so it's hard to ring Bob up and tell him he's got a sick computer. (In fact, the infected machine's IP address is in the last Received: header, but you gotta be a geek or nerd to be able to use that). Chuck
jimh	posted 01-07-2003 12:55 AM ET (US) I try to avoid having any direct "mailto:" links to users just to keep the viral spread to a minimum.
Taylor	posted 01-07-2003 06:40 PM ET (US) Klez is back? Did it ever really go away? I wonder if GPS/FF combo units are susceptible. Can viruses be downloaded from GPS satellites? Perhaps the fish can figure out how to send a pattern that locks the fishfinder. Is there a piscine electronic warfare department? Are mercury motors more likely to be infected by viruses then Johnson's? What happens to a Brunswick six axis milling machines if it is attacked by a virus? And what is the result!? I think these and other related topics need to be explored much more fully.
philmoses	posted 01-07-2003 08:35 PM ET (US) Triblet, You want a URL, you get a URL... http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.h@mm.html MOST importantly read the following... <snip> This worm searches the Windows address book, the ICQ database, and local files for email addresses. <end snip> THEN IT SPECIFIES THE FILES (the "local" files meantioned on the webpage)... The worm will search files that have the following extensions for email addresses: mp8 .exe .scr .pif .bat .txt .htm .html .wab .asp .doc .rtf .xls .jpg .cpp .pas .mpg .mpeg .bak .mp3 .pdf Its as plain as day in black and white there ( google for KLEZ and webcache, youll find a lot of additional references.) As far as the infected machine being the last IP address, thats a joke, as I said, spoofing an IP address and forging an email to seem as though it came from the last IP in a header is a realtively easy task. Your email address is on a webpage here on continuouswave, which means it can be in someones cache... http://continuouswave.com/cgi-bin/ubbmisc.cgiaction=getbio&UserName=triblet There is plenty of free reading pertaining to these and many other security topics at the SANS readering room (rr.sans.org), also CMU's CERT has a ton of info. Usually if I keep my mouth shut on issues, but this was another case, hopefully I did not offend anyone. Anyway, Ive gone beyond my time for free advice, further information on this topic needs to charged for. Phil
triblet	posted 01-08-2003 10:11 AM ET (US) OK, it does search the cache. It's far more likely to find stuff in the address book, esp. when some people run with an option that puts From: of every e-mail they receive in their address book. In the case of Klez, the infected machine IS the one in the last Received: header. Yes, they could spoof these up, but they don't. I've successfully tracked down a couple of Klez infected machines this way. The web page you listed 404s, but my email address is on: http://continuouswave.com/cgi-bin/Ultimate.cgi?action=email&ToWhom=triblet which I knew. As I pointed out earlier, the only reason that page would appear in someone cache is if they had used it to send me an e-mail, which is unlikely. It would not appear in the cache of someone who was just browsing around. And JimH could eliminate even that small chance by marking the pages with e-mail adddresses as "do not cache". My advice remains free. It's probably worth exactlyu what you pay for it. ;-) Chuck