Klez HELP ! (don't open if in any format) was Re: HEADERS?

From: Lawrence Walker <lgwalker_at_mts.net>
Date: Fri Aug 2 19:52:00 2002

 It seems that I did not escape Klez. I have had a continuous memory drain
since stupidly opening the first msg. in HTML and memory resources drain
eventually freeze my computer. I come up clean with both the Symantic and
Kaspersky removal tools however. One of the spoofed messages with R.E.s
return path was from Allison warning about klez and recommending the
Kaspersky Klez removal tool. I'd never heard about Kaspersky before. Makes
me seriously wonder about these AV companies. Create a problem and then
sell a solution.

 I saved, without opening, one of the msgs. and submitted it to Kaspersky
on-line identification and they IDed it as Klez H. Ran their removal tool again,
which won't run from DOS, only from a 98 Dos prompt and again it came up
clean. I'm wondering now whether it might have removed some essential 98
file. Any ideas on solving this problem ?

 A good lesson learned. Henceforth any list messages in non-ASCI format
either get deleted or sent back to sender. No exceptions. If you can't solve
your msg.sending problems because of your system at work or whatever ;
 DON'T SEND it !!

Lawrence

> I've just had a flock(5) of them and they all had the same return line as
> yours.
> I use Pegasus which does not automatically open HTML. I stupidly opened
> the first one but checking with both the Symantec and Kaspersky Klez tools
> say I'm clean. They all vary in size but average around 150k. 2 were
> supposedly from list members but the other 3 were unknown to me.
> I guess it is harvesting Richards mail.
>
> Lawrence
>
> > > At 07:29 PM 7/30/2002 -0700, Fred Cisin (XenoSoft) wrote:
> > > >Can somebody more familiar with such confirm whether that is indeed
> > > >Richard Erlacher's machine that sent the following copy of Klez? (Headers
> > > >only follow)
> >
> > On Tue, 30 Jul 2002, John Foust wrote:
> > > One trick of Klez is that it harvests e-mail addresses
> > > from your mailboxes and uses them to spoof the From: line,
> > > in order to make it seem (on casual inspection) that
> > > person has the virus. They don't. Someone who received
> > > mail from Erlacher (perhaps a list subscriber) has Klez.
> >
> > NO. PLEASE look again. Dick's address is in the RETURN PATH line, NOT
> > the FROM line! It appears that Dick's computer is the one with
> > Klez, and it put a false FROM: of JPLCSCH_at_aol.com
> >
> > MOST varieties of Klez put a bogus FROM:, but leave the
> > Return-Path: intact.
> >
> >
> >
> > Return-Path: <edick_at_idcomm.com>
> > Received: from mailhost.idcomm.com (mailhost.idcomm.com [207.40.196.14])
> > by lmi.net (8.8.8/8.8.7) with ESMTP id TAA05488
> > for <cisin_at_xenosoft.com>; Tue, 30 Jul 2002 19:17:42 -0700 (PDT)
> > Received: from Dqza (dsl-res156.idcomm.com [216.98.199.156])
> > by mailhost.idcomm.com (8.10.2/8.10.0) with SMTP id g6V2HSJ01036
> > for <cisin_at_xenosoft.com>; Tue, 30 Jul 2002 20:17:29 -0600
> > Date: Tue, 30 Jul 2002 20:17:29 -0600
> > Message-Id: <200207310217.g6V2HSJ01036_at_mailhost.idcomm.com>
> > From: JPLCSCH <JPLCSCH_at_aol.com>
> > To: cisin_at_xenosoft.com
> > Subject: Dialog under
> > MIME-Version: 1.0
> > Content-Type: multipart/alternative;
> > boundary=Q37LE02W0269aCiF037Kl967jS3g6
> >
> >
>
>
> lgwalker_at_mts.net
> bigwalk_ca_at_yahoo.com


lgwalker_at_mts.net
bigwalk_ca_at_yahoo.com
Received on Fri Aug 02 2002 - 19:52:00 BST

This archive was generated by hypermail 2.3.0 : Fri Oct 10 2014 - 23:34:36 BST