PCA Forums

Posted this on the news page also:



Everyone please be on the lookout for this virus. It's not always easy to spot and the senders are being even more clever to make sure you do get it. Here's a few I've received recently that is the <b>KLEZ</b> virus:

<b>IE 6.0 patch</b> as the subject. In the body:

<i>"This is a IE 6.0 patch
I hope you would like it."</i>

<b>Re:the Garden of Eden</b> as the subject. It executes as you try to read the email.

<b>Your password</b> as the subject. Executes as you read the email.

<b>Language</b> subject again, executes as you try and read the email.

<b>honey</b> same as previous

<b>Worm Klez.E immunity</b> as subject, the below as the body:

<i>"Klez.E is the most common world-wide spreading worm.It's very dangerous by corrupting your files.Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it.We developed this free immunity tool to defeat the malicious virus.You only need to run this tool once,and then Klez will never come into your PC.NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV monitor maybe cry when you run it.
If so,Ignore the warning,and select 'continue'.If you have any question,please mail to me."</i>

The above usually has no spaces after a sentence or punctuation.

There are probably many more so please don't open an email if it's from one you don't know. And especially <b>DO NOT</b> open any attachment since many open this way. As you can see above, some open as soon as you try to read the email.

A new trick is to <b>SPOOF</b> an email address.

<i>"Some variants of this worm use a technique known as "spoofing." If it does this, it chooses at random an address that it finds on an infected computer as the "From": address that it uses when it performs its mass-mailing routine. Numerous cases have been reported in which users of uninfected computers receive complaints that they have sent an infected message to someone else."</i>

More info <a href="http://securityresponse.symantec.com/av ... l">HERE</a>



<b>GET</b> the latest anti virus updates from your anti virus app. Do a full virus scan at least once a day. If you believe you did get the Klez virus then <a href="http://securityresponse.symantec.com/av ... m.html">Go Here</a> (scroll down) for removal instructions. It isn't easy and if you are no techie then you need to get one who is to help you.

Another option is to use this <a href="http://securityresponse.symantec.com/av ... l">Removal Tool</a>. Just scroll down.

If you have no anti virus app then <a href="http://www.grisoft.com">This</a> is a good free one.

Here is a free online virus scanner. It has worked great for me in the past.

Personally I've gotten like 20 of these emails the past few days. Definately a lot of people are getting infected.

I have a question. Since these viruses run automatically when you open the e-mail, how do you delete it without selecting it? Because, when i select an e-mail, the pops up in the different section instantly. Do I disable that view, or what do I do?

Thanks.

That's a real good question Sean.

Only way I know is to disable scripting if you use outlook express for email. Depending on what os you use it's usually called vbs scripting in add-remove programs under add windows components. With w98 it's real easy but in xp I have no clue where it's at but outlook blocks many of these, a good anti virus app should block them all though.

If you don't have one then try the one I linked to (I use it) above and select email scanner options after it's installed. It checks all incoming emails and stops a virus from showing so even if you open an infected email the virus has been blocked and will not execute. Just gives you a virus or other warning. It can also scan and certify all outgoing email virus free.

I've also disabled vbs scripting and Grisoft AVG works well. :thumb :

I'm on dial up and have been getting this virus 3-4 times a day for the last few weeks. All of my emails are under 5kb so when an email 120kb-140kb is being downloaded I turn off the preview pane and delete the email.
View-->Layout

As posted by Executioner,Mailwasher, is also good for prvieiwing messages. I use it as a pre-virus strainer. Messages you don't want never get to your computer.

I got it in two emails and NAV caught both of them. W32KLEZ.M@SH was the name of both. They came from two different email addresses.

i've got about 5 suspicious emails the last couple days through hotmail. I have my hotmail setup so i get it in OE but i have the preview pane blocked so i don't think i've got anything... don't run no AV either and am proud to say i've only got CIH once and that damn nimda shit 3 times lol

I'm still getting 3-9 a day. Using mailwasher and it isn't as much a hassle as I thought it might be. It catches them too. Or maybe it's my av telling it that it's a virus. I like the option to "bounce" an email back.

Pred, get This free av. It is excelent and they update regularly. It's very easy and no hassle at all. It can certify all incomiong or outgoing email virus free.

Okay guys, I ALMOST got the bastard today, and I've NEVER caught a virus. Just by chance I had McAfee's mail filter running (I usually have all background scanning disabled) and it caught Klez trying to install itself (I didn't open an attachment - it tried to run itself).

Probably wouldn't have gotten it since my rig is setup to ALWAYS query to save or install an attachment, but still that was a spooky thing.

That suprised me, however, because I have I'm running IE 5.5 SP2 which is not supposed to have this exploit.

I just check Microsoft's Windows Update and BEHOLD there's a NEW critical security update for this for ALL versions of IE (5.0 thru 6.0, SP1 or 2).

I suggest you all get the latest critical update, and tell your friends as well.


I've worked on two client's systems with this virus so far, and it's a BITCH to get rid of. Thankfully it's not very malicious. It doesn't do any real damage (unless it infects a critical system file and you delete it instead of cleaning it) but it infects EVERYTHING and it's TEDIOUS to remove. Takes 2 - 3 hours (mostly waiting for slow DOS virus scans).

There's no easy way to do it from within Windows. You need a DOS virus scanner and a LOT of time. That's the reason I still use McAfee. Norton might be friendlier but McAfee still has a DOS component that you can burn to a CD from any system with the latest DAT files and then run it from the DOS prompt on ANY computer without a major hassle.

I didn't open an attachment - it tried to run itself

With this and recent virus's most versions you just have to open the actual email, then a script takes over and executes the virus. I don't even know why scripts are needed for email.

As for the new ms update, here's what I posted earlier on the new page:




<b>Six new vulnerabilities in IE</b> Affected Software:

-Microsoft Internet Explorer 5.01
-Microsoft Internet Explorer 5.5
-Microsoft Internet Explorer 6.0

<i>"The software giant called three of the flaws critical, but only one of them--a cross-site scripting error that affects only Internet Explorer 6.0--would allow an attacker or a worm to run a program on the victim's computer.

"Two of them are critical because of the possibility of information disclosure," said Christopher Budd, security program manager for the Microsoft security response team. "But they have steep requirements."

The first flaw occurs when the browser sends information within a link to another browser. Known as cross-site scripting, the technique can be abused by an attacker to get the other site to run a program specified by a malicious user. The flaw outlined by Microsoft on Wednesday would require that the attacker either host a Web page with the malicious link or send an HTML command via e-mail.

The two critical flaws that could compromise user information occur because of the way IE handles popular site templates, known as cascading style sheets, and the way it processes cookies. Both require the exact names of files on the target system to work, reducing the risk somewhat."</i>

More from <a href="http://news.com.com/2100-1001-914805.ht ... ews.com</a> including needed <a href="http://www.microsoft.com/technet/treevi ... ">Links</a>

Well the funny thing is I have ActiveX scripting disabled in Outlook and it STILL tried to run by itself. I know it's disabled because I subscribe to a Web developer's newsletter that always seems to have scripting in it and I get an error message saying it can't run with my present security settings (it's just for advertising in the email I guess - I can still read the articles).

Stupidest thing Microsoft ever did was to add scripting to Outlook. NO ONE uses it except advertisers and SPAMmers.

The update patch does work. Tried to open the same email after installing it and it didn't auto load.


Another thing - I've been receiving this virus for weeks now (I literally get 10 a day), but this is the FIRST one that tried to run itself using a script. That tells me that either this clown has updated his virus, or it's programmed to change tactics.

2 thumbs way up for the freebies firewall Zone Alarm
and AVG virus detector

2 Great Reasons why I love the Internet

:chug

I've been using AVG and it's been catching stuff in my email about 3x a day lately.

The other day it nabbed something called "JS/Seeker" ... any idea what that is?

One more thing...

I NEVER have time to do any gaming... and the ONE time I am bored out of my skull, and
playing around on Runescape... that's when I caught "JS/Seeker". Can you get something
on-line while playing a game???? I didn't even know that was possible?

I had outlook express open at the time... but I wasn't in it, or reading any mail. And suddenly
AVG came up, and totally locked up my system till it had done a complete scan (it took over
an hour). It said it detected JS/Seeker, and one of my files had been infected, and had to be
locked in a vault.

ummm... what was all that about? Was that a mail thing, or a gaming thing???