John G Hitchcock wrote:
>Re Peter's :
>========================
>
>John, this is how it went
>
>1. I received an original message frm 'tony'. It had two files attached
>purporting to be an IE6 patch for windoze.
>
>2. This looked suspicious, I downloaded the files without opening them. They
>had the look of the present plague, the Klez worm. My AVG agreed.
>
>3. I bounced the message back to 'tony' on the supposition that he was an
>innocent victim, putting through the list to warn other possible recipients.
>This reply didn't carry the original attachments so a) it couldn't infect
>anyone b) no Klez would be detected by any anti-virus program.
>
I don't know who generated them, but there were several bounce back
messages that my AV identified as being infected and deleted. As far as
my AV was concerned, my bounce back was the first that appeared
uninfected and was not deleted by my AV. Perhaps some of the bounce
backs had contained properly isolated Klez code, but the Klez code did
pass through the list several times.
Lafe
>
>4. Any IE user opening the attachments to the original message from 'tony'
>would have their address book infected and become an innocent propagator. It
>may also start mashing up some of the operations on the host computer. All
>the A/V sites contain detailed information, it is a current major pest with
>many variants
>
>Hope this answers your questions
>
>Peter Goff
>==============================================
>
>Thank you Peter and all who have contributed to try and clear this up.
>
>BUT
>
>I'm still puzzled
>
>I can't work out why I got the very *definite* message -
>
> "YOU'VE GOT KLEZ!!!!"
>
>ie: not you *may* have it.
>
>When -
>
>1. I've had no message with an attachment from any "Tony"
>
>2. If I had(!) then I would have deleted it immediately.
>
>Is all this really telling me that I do have "it" - but appparently from
>another source?
>
>Did the .exe. attachment dynamically alter its own file name and, if not,
>what name did it go under please? {I expect 'sex' will be in there
>somewhere!}
>
>Yours very confusedly,
>
>John In Wales
>
>PS Patience please from unaffected QLers.
>
>
>
>
>
