posted 06-23-2002 10:34 AM                  

If you are not up-to-date with your virus protection, I strongly recommend that you visit norton . It only costs about $40 for the software and a subscription to keep your PC clean.

Info from Norton:
W32.Klez.H@mm: Discovered on: April 17, 2002
Last Updated on: June 20, 2002 01:04:30 PM PDT

W32.Klez.H@mm is a modified variant of the worm W32.Klez.E@mm. This variant is capable of spreading by email and network shares. It is also capable of infecting files.

Also Known As: W32/Klez.h@MM, WORM_KLEZ.H, W32/Klez-G, I-Worm.Klez.h, Klez.H, W32/Klez.H, Win32.Klez.H, WORM_KLEZ.I

Threat: Severe
Dangerous threat type, difficult to contain. The latest virus definitions should be downloaded immediately and deployed.

posted 06-23-2002 11:27 AM                  

BTW - I guess the mail must be running slow - still looking forward to receiving Louisville CD.

Regards

Marty

posted 06-23-2002 11:50 AM                  

Tracking down the actual origin of KLEZmail isn't trivial -- you have to be able to read the full headers and chase the stream all the way back. You can't rely on the plain-text headers, since those are forged by the offending software.

I'm not an expert at it, but I can give it a shot if you like. If you can forward _full_ headers of one of the infected email messages to the email address listed in my profile, I'll take a look.

And don't worry about infecting me -- I run a Mac.

posted 06-23-2002 01:05 PM                  

Virus alert.
Scan whole machine.
Reboot, scan again, everything is clean.
Do some email.
Get another virus alert.
Assume that the virus came in the Email.

Apparently, WRONG. .klez is somehow masking itself from the virus scan and then popping up again - internal to the PC, but appearing to come from an Email. This happened both under McAfee, and again after changing to Norton.

I got rid of it as follows:
Set Norton configuration to scan EVERYTHING - all files, Email, attachments, etc.
Turn off all shares (documented bug in Windows).
Run automatically every hour, don't reboot until you have 2 days of scans without detecting anything.

It worked for me. No viruses in 32 days (and that was after a week of multiple-hits/day).

Fortunately, I don't think I lost anything even though a lot of files had to be deleted (they couldn't be cleaned, but none of them were important).

Good luck.

posted 06-23-2002 01:48 PM                  

quote:

---

Originally posted by GRROWL:
Tell me if this was your experience (this was mine):

Virus alert.
Scan whole machine.
Reboot, scan again, everything is clean.
Do some email.
Get another virus alert.
Assume that the virus came in the Email.
...

---

Not exactly - I got rid of it ok, but someone out there has it bad. The virus may have damaged my Outlook installation. I am unable to view email message headers. If I can find an email header, Brad, I'll send it to you.

This virus is particularly crafty. It invokes many anti-anti-virus measures.

posted 06-23-2002 02:05 PM                  

I have only had one true virus on my computer in 12 years, and it came from a software company, that was sending out infected files.

------------------
Donald E. Ethredge
12454 Cutten Rd., Suite S
Houston, Texas 77066 USA
281-397-8440 f: 281-397-0999
www.graphicresults.com
gresults@ev1.net

posted 06-23-2002 03:47 PM                  

But I think you miss my point when you say, "Not exactly - I GOT RID OF IT OK".

My experience, and I believe what you are experiencing now, is that you did not get rid of it - it is exhibiting one of its "anti-anti-virus measures" that you referred to by hiding and then making you think there's a new infection.

Just think about it: if your Norton anti-virus was working, why would you get reinfected? My guess is that it's merely hiding and coming back FROM THE INSIDE.

I strongly suggest that you check all of your Norton settings so that EVERYTHING is being scanned, on an hourly basis, (and that shares are turned off, as in the URL you cite) until it is gone and not just hiding.

posted 06-23-2002 04:24 PM                  

quote:

---

I don't open email attachments either... I don't know how my PC got infected. I am careful as well. I can only remember having an infected PC twice since the existence of the internet.

---

I re-read this thread, and I have a question -- if you were infected, your machine would be sending the email, not receiving it.

What makes you think your machine is infected?

The descriptions here seem to imply that it's someone else (probably not whoever you might think it is) who has the infection.

posted 06-23-2002 05:01 PM                  

About 2 weeks ago, my PC was infected. I downloaded and ran the software to fix it at that time. As a precaution, today, I downloaded the fix again and ran it and it indicated that my PC is still clean, so, apparently, my PC has been clean for the last two weeks.

There could be a copy in the Windows restore files, but I have executed the restore facility and the virus has not reappeared.

For the past couple of weeks, I have been receiving lot's of email with the virus... It is apparently coming from the outside. For the next week, I am going to only access my email from the web (instead of pop). This will clarify whether these klez emails are originating from my machine or from somewhere else.

My machine is definitely clean (and has been for the last two weeks), unless the newest norton instructions do not work.

posted 06-23-2002 09:14 PM                  

It took 3 long days of backing up data (what could be backed up, other drivers were also damaged). Eventually I had to write zeros to my hard drive and start all over.

This is only the second virus that I have ever had on the PC, but it has convinced me to get a second hard drive for data.

Check and double check everything. I am getting e-mails everyday which Norton is catching with the virus.

posted 06-25-2002 07:39 AM                  

I have further researched and have found that my machine is still clean of the klez virus. I consulted a tech at symantec and he agreed that my machine is clean.

I have been a programmer and technicnal user of PC's for over 20 years. If there is anything strange happening, I notice it pretty quickly. I believe my machine was infected less than a day before I noticed it and took corrective action. (That's probably what saved my machine from a more catastrophic failure.) I have run several scans, including a scan in SAFE MODE, since I ran the first fix - and no virus has been detected.

I haven't received any viruses via email since this weekend, but I don't know exacly why, because there have been 3 variables:
1. -> I'm only acccessing email via web (not pop).
2. -> My internet service provider changed their email engine. (I don't know if it is catching the viruses before they get to me.)
3. -> I posted this thread. It is possible that the infected PC's that were sending me the virus emails have been cleaned.

posted 06-25-2002 12:00 PM                  

quote:

---

Originally posted by Gary Archer:
Damon:
How do you reboot in safe mode?
Have a virus fix, it says to boot in safe mode and then run tool.

---

While your machine is booting up, press the <F8> key. This should forward you to a menu where you can select SAFE MODE. (Tip: Don't hold the key down - the computer may think that you have a keyboard error - a stuck key. Instead, press the <F8> key several times while the machine is booting up.)

If this doesn't work, then click on your PC's START key (lower left-hand corner), click help and perform a search on SAFE MODE.

posted 06-26-2002 11:23 AM                  

Just point your browser to http://www.housecall.antivirus.com and follow the instructions. It will scan your PC for viruses.

This site is run by TrendMicro, the company that makes PCcillin antivirus software.

posted 06-27-2002 04:08 PM                  

I have scanned my machine several times before I posted this thread and after and no copies of the virus were found. (A couple weeks before I posted this thread my machine had been infected.)

Apparently, someone has purged their machine of the virus (or either they are on vacation now and their PC is off). Hopefully, I helped someone out by posting this thread...

I know some of this confusing... here is the chronology for those who are following the details:

June 8: I noticed my machine was infected. I immediately downloaded latest virus tools and fixed my machine.

June 8 to June 24: I received approx 2 copies of the virus via email every day.

June 23: I posted this thread.

June 24 to present: I executed additional scans including SAFE MODE scans from a DOS command line and found no new copies of the virus on my machine.

June 25 to present: I have not received any more copies of the virus via email. It appears that the infected machine that was sending copies to me has been cleaned.

If there are any more developments, I will let you know.