posted 09-05-2002 06:06 AM                  

------------------

posted 09-05-2002 07:41 AM                    

quote:

---

Originally posted by butchcee:
fixumm, I got one a few days ago that was supposed to be from Ed also. Who know's where it came from!? Maybe time for you to upgrade your virus scan. I use Norton and it catches
everyhing so far. Sometimes I go weeks with no garbage, and sometimes I get hit with 3 a day. I got hit aboout a year ago and lost everything I had saved.

---

Three things (of course this is hindsight now):

1) Add a zip drive and backup daily (or as frequent as you add stuff to your pc)

2) Get a virus scan program that you can update from the web. I have McAfee and they tell me when updates are available (almost weekly)

3) If using DSL, add a firewall software package to your pc. I use McAfee's and you'd be amazed at the number of hits I get daily from pc's trying to get into one of ours.

A variety of sites (pick your topic) have viruses built right into their HTML or ASP and as soon as you hit that page, viola' it is downloaded to your pc. McAfee can catch that.

Hope this helps.

------------------
Trey
"Who are you calling chicken? I said I'm YELLOW"

posted 09-05-2002 07:46 AM                    

Folks, if you don't know it, DSL leaves your pc wide open to hackers even when you aren't on the internet. Think of your pc as a server that is constantly online (to the world)

posted 09-05-2002 07:57 AM                  

--- Update 4/18/2002 ---
AVERT has raised the risk assessment of this threat to Medium after seeing an increase in prevalence over the past 24 hours. Home users are at a greater risk of infection, as they tend to update their DATs less frequently then corporations. As such, the risk of becoming infected in a corporate environment is lower.

This latest W32/Klez variant is already detected as W32/Klez.gen@MM by McAfee products using the 4182 DATs (23 January 2002) or greater.

W32/Klez.h@MM has a number of similarities to previous W32/Klez variants, for example:

W32/Klez.h@MM makes use of Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability in Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2).
the worm has the ability to spoof the From: field (often set to an address found on the victim machine).
the worm attempts to unload several processes (antivirus programs) from memory. Including those containing the following strings:
_AVP32
_AVPCC
NOD32
NPSSVC
NRESQ32
NSCHED32
NSCHEDNT
NSPLUGIN
NAV
NAVAPSVC
NAVAPW32
NAVLU32
NAVRUNR
NAVW32
_AVPM
ALERTSVC
AMON
AVP32
AVPCC
AVPM
N32SCANW
NAVWNT
ANTIVIR
AVPUPD
AVGCTRL
AVWIN95
SCAN32
VSHWIN32
F-STOPW
F-PROT95
ACKWIN32
VETTRAY
VET95
SWEEP95
PCCWIN98
IOMON98
AVPTC
AVE32
AVCONSOL
FP-WIN
DVP95
F-AGNT95
CLAW95
NVC95
SCAN
VIRUS
LOCKDOWN2000
Norton
Mcafee
Antivir
The worm is able to propagate over the network by copying itself to network shares (assuming sufficient permissions exist). Target filenames are chosen randomly, and can have single or double file extensions. For example:
350.bak.scr
bootlog.jpg
user.xls.exe

The worm may also copy itself into RAR archives, for example:
HREF.mpeg.rar
HREF.txt.rar
lmbtt.pas.rar

The worm mails itself to email addresses in the Windows Address Book, plus addresses extracted from files on the victim machine. It arrives in an email message whose subject and body is composed from a pool of strings carried within the virus (the virus can also add other strings obtained from the local machine). For example:

Subject: A very funny website
or Subject: Undeliverable mail--
or Subject: Returned mail--
or Subject: A WinXP patch
or Subject: A IE 6.0 patch
or Subject: W32.Elkern removal tools
or Subject: W32.Klez.E removal tools

The file attachment name is again generated randomly, and ends with a .exe, .scr, .pif, or .bat extension, for example:
ALIGN.pif
User.bat
line.bat

Thanks to the use of the exploit described above, simply opening or previewing the message in a vulnerable mail client can result in infection of the victim machine.

W32/Klez.h@MM masquerades as a free immunity tool in at least one of the messages used. Below is the message sent by the virus itself.

Subject: Worm Klez.E Immunity
Body: Klez.E is the most common world-wide spreading worm. It's very dangerous by corrupting your files. Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it.We developed this free immunity tool to defeat the malicious virus. You only need to run this tool once,and then Klez will never come into your PC.

NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV monitor maybe cry when you run it. If so,Ignore the warning,and select 'continue'. If you have any question,please mail to me.

The worm may send a clean document in addition to an infected file. A document found on the hard disk, that contains one of the following extensions, is sent:

.txt
.htm
.html
.wab
.asp
.doc
.rtf
.xls
.jpg
.cpp
.c
.pas
.mpg
.mpeg
.bak
.mp3
.pdf
This payload can result in confidental information being sent to others.




Indications Of Infection:

Randomly/oddly named files on network shares, as described above.
Reference to a WINKxxx.EXE file ("xxx" looks random) in a Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run





Method Of Infection:

This virus can be considered a blended threat. It mass-mails itself to email addresses found on the local system, exploits a Microsoft vulnerability, spreads via network shares, infects executables on the local system, and drops an additional file infecting virus, W32/Elkern.cav.c.




Removal Instructions:

Use current engine and DAT files for detection.
Once infected, VirusScan may not be able to run as the virus can terminate the process before any scanning/removal is accomplished. The following steps will circumvent this action and allow for proper VirusScan scanning/removal, by using the command-line scanner.

Ensure that you are using the minimum DAT specified or higher.
Close all running applications
Disconnect the system from the network
Go to a command prompt, then change to the VirusScan engine directory:
Win9x/ME - Click START | RUN, type command and hit ENTER.
Type cd \progra~1\common~1\networ~1\viruss~1\40~1.xx and hit ENTER
WinNT/2K/XP - Click START | RUN, type cmd and hit ENTER.
Type cd \progra~1\common~1\networ~1\viruss~1\4.0.xx and hit ENTER
Rename SCAN.EXE to CLEAN.EXE to prevent the virus from terminating the process and deleting files. Type, ren scan.exe clean.exe and hit ENTER
First, scan the system directory
Win9x/ME - Type clean.exe %windir%\system\win*.exe and hit ENTER
WinNT/2K/XP - Type clean.exe %windir%\system32\win*.exe and hit ENTER
Once the scan has completed, Type clean.exe /adl /clean and hit ENTER
Rename scan.exe. Type, ren clean.exe scan.exe and hit ENTER
After scanning and removal is complete, reboot the system
Apply Internet Explorer patch if necessary.

Klez can delete anti-virus software files. It may be necessary to reinstall VirusScan after cleaning a system.

posted 09-05-2002 08:03 AM                  

quote:

---

Originally posted by YellowFever:
Forgot to mention, the email virus you got probably didn't come from Ed but, got his name and your address from someone else's address book (this is to send you off looking in the wrong direction)

Folks, if you don't know it, DSL leaves your pc wide open to hackers even when you aren't on the internet. Think of your pc as a server that is constantly online (to the world)

McAfee's firewall is pretty cool because you can track (visually) where the hack is coming from. I have seen hacks on our pc's from as far away as China and as close as 30 miles from us. All were shown the front door and given the boot.

---

posted 09-05-2002 10:08 AM                    

quote:

---

Originally posted by hack1320:
Trey,
I am personally hurt by your use of "HACK" in your e-mail.
Bob

---

I have license to use the term since I am one!!!!

posted 09-05-2002 11:01 AM                  

We never leave our systems connected when we are not using them. It only takes a minute to get connected again, and why take the risk.

posted 09-05-2002 11:32 AM                    

quote:

---

Originally posted by purplecat:
It is true... DSL, cable modems and 2-way satellite systems all leave you vulnerable when they are left activated.

We never leave our systems connected when we are not using them. It only takes a minute to get connected again, and why take the risk.

JMO

---

Purplecat, when you do connect though, you are completely vunerable and things can be downloaded to your pc without you even seeing it on your screen without some sort of firewall.

There are literally thousands of computers out there pinging the entire internet looking for any pc to hack into and get/leave information.

Get a firewall!!!

posted 09-05-2002 11:53 AM                  

A better solution is to get your email from a company that scans it for viruses long before the email ever gets to your PC. That's what I do. I own an Internet company that specializes in email services. We scan every message that comes into our system for viruses. If we find one, we stop it and notify the sender that they are infected. If your PC does get a virus from some other means, you won't be spreading it to everyone in your address book, because we scan all outbound email, too! Our virus patterns are updated every single day, so our virus protection is always current.

Not only that, but we also filter out a whole buttload of SPAM.

If you are tired of the headaches and deficiencies of your current email service, check out my email service at www.theaardvark.com--you won't be disappointed!

posted 09-05-2002 12:51 PM                    

quote:

---

Originally posted by mojoriser:
Doing all the things that have been mentioned in this thread are good (personal firewall, local virus scanning software, etc.). However, they are only as good as you make them. If you don't keep them up to date, they won't help you at all. New worms and viruses come out all the time--you have to keep current for them to be effective.

A better solution is to get your email from a company that scans it for viruses long before the email ever gets to your PC. That's what I do. I own an Internet company that specializes in email services. We scan every message that comes into our system for viruses. If we find one, we stop it and notify the sender that they are infected. If your PC does get a virus from some other means, you won't be spreading it to everyone in your address book, because we scan all outbound email, too! Our virus patterns are updated every single day, so our virus protection is always current.

Not only that, but we also filter out a whole buttload of SPAM.

If you are tired of the headaches and deficiencies of your current email service, check out my email service at www.theaardvark.com--you won't be disappointed!

---

Good idea mojoriser however, with DSL, not all viruses come by way of email. some HTML/DHTML/ASP pages can download stuff (or at least try to). I know because McAfee stops it, and informs me.

I can't speak for all the products out there but, McAfee let's me know when anything attmepts to connect to one of my servers and it also tells me the second an update for the firewall or virus scan softwre is available for a download.

posted 09-05-2002 02:40 PM                  

quote:

---

Originally posted by mojoriser:
... If we find one, we stop it and notify the sender that they are infected....

---

Have you found an automated method of going into the header and finding the real originator of the e-mail? I am so tired of getting e-mail messages from e-mail companies telling me that I am infected and I am sending out emails with viruses... my machines are not infected (yes, I have double and triple checked them) and yes I keep the definitions up to date. Every time I get one of these, I look at the header to see where the e-mail is really coming from.

The Klez virus spoofs the emails so they look like they are coming from someone else, so it is pointless to send an e-mail back to obvious sender (because they didn't send it).

------------------
Cliff Watson See My Prowler Page
2K1 Mulholland, Colorshift Flames, Mud Flaps, TGF Side Panels, TGF Bumper Covers, Eric Wolf Chrome Tranny Cooler, Blueberry Shimmers, Front Ceramic Pads, Homemade Top Brace, SSS Muffler, Weekender.
2001 Dakota SLT+ CC (Patriot Blue)
1998 Durango SLT+ (Intense Blue)
X - 1998 Honda Accord
X - 1991 Dodge Spirit
X - 1965 Ford Mustang (289)
X - 1994 Dodge Daytona Turbo
X - 1971 Ford Pinto (The Rust Bucket)

posted 09-05-2002 02:58 PM                  

You can be assured that if my system sends you a message that your email contains a virus, that the virus came from your account and not from an imposter.

I'd be happy to set up a demo account for you if you'd like to try it out.

posted 09-06-2002 08:29 AM                  

+++++++++++++++++++++++++++++++++++++++
http://zdnet.com.com/2100-1105-956740.html

Klez set to return--but may backfire

By Robert Lemos
Special to ZDNet News
September 5, 2002, 11:33 AM PT

A minor variant of the Klez virus is set to go into action Friday, erasing a host of files on infected hard drives. But the attack may also wipe out the attacker.

The 8-month-old mass-mailing computer virus called Klez.E triggers its payload on the sixth day of March, May, September and November, erasing 14 different types of files, including Word documents and HTML files.
But the variant has all but disappeared from the Internet, said Vincent Gullotto, director of the antivirus emergency response team at security company Network Associates, and the year's two remaining payloads should call attention to the few computers still infected with Klez.E, allowing the pest to be exterminated.

The Klez.E variant runs a distant second to its far more prevalent Klez.H cousin, making up only 3 percent of the junk e-mail associated with the Klez virus. Klez.H accounts for the other 97 percent.
Data from e-mail services provider MessageLabs shows that in August, the company intercepted 580,000 e-mails carrying the prolific Klez.H variant but only 16,000 carrying Klez.E. On Thursday, the minor Klez variant was present in only 338 infected e-mails in the last 24 hours.
Klez.E arrives in e-mail and uses an old flaw in Microsoft Internet Explorer to execute automatically. On infected PCs, the computer virus activates a malicious payload and overwrites any file accessible to it--both local and on the network-- of the following types: .txt, .htm, .html, .wab, .doc, .xls, .jpg, .cpp, .c, .pas, .mpg, .mpeg, .bak and .mp3.
Klez.H doesn't overwrite files, but it may randomly choose a document from a victimized computer and attach it to the e-mails it sends out to spread itself. In addition, Klez.H spoofs the sender's address to make it look like a random person from the infected PC's address book is actually sending the virus-laden mail. This makes it harder to pinpoint an infected system and can lead to a muddle when people without the pest are told they have it.

+++++++++++++++++++++++++++++++++++++++++