Re: Klez at it again
On Fri, 3 May 2002 14:25:11 -0700 Philip J. Koenig [EMAIL PROTECTED] wrote: On 2 May 2002, at 18:24, David A. Bandel boldly uttered: NOTE: Klez, when run, first disables antivirus software, deletes signature files from common AV programs, then installs itself as a service. You can't run, you can't hide, all you can do is reformat. Disable the anti-virus software? Oh, pleeazzee, let me re-install Windows on my box... -- ++===+ | Roger Oberholtzer | E-mail:[EMAIL PROTECTED] | | OPQ Systems AB | WWW: http://www.opq.se/ | | Erik Dahlbergsgatan 41-43 |Phone: Int + 46 8 314223 | | 115 32 Stockholm | Mobile: Int + 46 733 621657 | | Sweden | Fax: Int + 46 8 302602 | ++===+ ___ Linux-users mailing list - http://linux-sxs.org/mailman/listinfo/linux-users Subscribe/Unsubscribe info, Archives,and Digests are located at the above URL.
Re: Klez at it again
Im sorry Doug, I did not mean that they came from linux-sxs.org, they were jsut spoofed as linux-sxs.org. The came from netvigator.com. and netvigator seems to be running M$2k and Exchange. Douglas J Hunley [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bill Day spewed electrons into the ether that resembled: I am also receiving klez'd emails from major places, i.e. driverguide.com, and have yet to receive any more klezd emaisl via linux-sxs.org Not to be arguin Bill, but you *never* should have gotten any from linux-sxs.org This setup has been turning them away from day one.. - -- Douglas J Hunley (doug at hunley.homeip.net) - Linux User #174778 Admin: Linux StepByStep - http://www.linux-sxs.org and http://jobs.linux-sxs.org Wishlist: http://www.amazon.com/o/registry/48D11KZ4BPBQ You realize we're all going to go to college as virgins. They probably have special dorms for people like us. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE8009+SrrWWknCnMIRAuLWAJwOGrIU5SdEyyqY3Ath3iFmw1L8twCeMW8x wLGOgf+Etvh969wfXvAau4s= =S0ta -END PGP SIGNATURE- --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/02 ___ Linux-users mailing list - http://linux-sxs.org/mailman/listinfo/linux-users Subscribe/Unsubscribe info, Archives,and Digests are located at the above URL.
Re: Klez at it again
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bill Day spewed electrons into the ether that resembled: Im sorry Doug, I did not mean that they came from linux-sxs.org, they were jsut spoofed as linux-sxs.org. The came from netvigator.com. and netvigator seems to be running M$2k and Exchange. ah. had me worrried for a second there. cool. - -- Douglas J Hunley (doug at hunley.homeip.net) - Linux User #174778 Admin: Linux StepByStep - http://www.linux-sxs.org and http://jobs.linux-sxs.org Wishlist: http://www.amazon.com/o/registry/48D11KZ4BPBQ panic(sun_82072_fd_inb: How did I get here?); 2.2.16 /usr/src/linux/include/asm-sparc/floppy.h -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE81VBTSrrWWknCnMIRAtX+AKCuZ3KaI/RMOEhfrIlbiavWecL9LACeLWW4 gwbZXbZl6yvjX+bt+RBInYM= =R4i4 -END PGP SIGNATURE- ___ Linux-users mailing list - http://linux-sxs.org/mailman/listinfo/linux-users Subscribe/Unsubscribe info, Archives,and Digests are located at the above URL.
Re: Klez at it again
On 2 May 2002, at 18:24, David A. Bandel boldly uttered: NOTE: Klez, when run, first disables antivirus software, deletes signature files from common AV programs, then installs itself as a service. You can't run, you can't hide, all you can do is reformat. Actually most major A/V vendors have written tools to remove the worm. Here are 2 examples, the first one also includes manual removal instructions: http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_KLEZ.H (overview) http://www.antivirus.com/vinfo/security/fix_worm_klez_3.11.zip (fix) http://www.antivirus.com/vinfo/security/readme_worm_klez_3.11.txt (readme) http:[EMAIL PROTECTED] (overview) http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.removal.tool.html -- Philip J. Koenig [EMAIL PROTECTED] Electric Kahuna Systems -- Computers Communications for the New Millenium ___ Linux-users mailing list - http://linux-sxs.org/mailman/listinfo/linux-users Subscribe/Unsubscribe info, Archives,and Digests are located at the above URL.
Re: Klez at it again
On Fri, 3 May 2002 14:25:11 -0700 begin Philip J. Koenig [EMAIL PROTECTED] spewed forth: On 2 May 2002, at 18:24, David A. Bandel boldly uttered: NOTE: Klez, when run, first disables antivirus software, deletes signature files from common AV programs, then installs itself as a service. You can't run, you can't hide, all you can do is reformat. Actually most major A/V vendors have written tools to remove the worm. Here are 2 examples, the first one also includes manual removal instructions: http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_KLEZ.H (overview) http://www.antivirus.com/vinfo/security/fix_worm_klez_3.11.zip (fix) http://www.antivirus.com/vinfo/security/readme_worm_klez_3.11.txt (readme) http:[EMAIL PROTECTED] (overview) http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.removal.tool.html Great, but now I'm only getting trickles. When the faucet was first turned on, there were no programs to clean infected machines. Did you expect folks (business users) to turn their systems off for two weeks while the AV folks worked out a fix? Easier and quicker (and frankly safer) to just reformat. It is Windoze after all, and needs to be reinstalled regularly. Ciao, David A. Bandel -- Focus on the dream, not the competition. -- Nemesis Racing Team motto ___ Linux-users mailing list - http://linux-sxs.org/mailman/listinfo/linux-users Subscribe/Unsubscribe info, Archives,and Digests are located at the above URL.
Re: Klez at it again
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bill Day spewed electrons into the ether that resembled: I am also receiving klez'd emails from major places, i.e. driverguide.com, and have yet to receive any more klezd emaisl via linux-sxs.org Not to be arguin Bill, but you *never* should have gotten any from linux-sxs.org This setup has been turning them away from day one.. - -- Douglas J Hunley (doug at hunley.homeip.net) - Linux User #174778 Admin: Linux StepByStep - http://www.linux-sxs.org and http://jobs.linux-sxs.org Wishlist: http://www.amazon.com/o/registry/48D11KZ4BPBQ You realize we're all going to go to college as virgins. They probably have special dorms for people like us. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE8009+SrrWWknCnMIRAuLWAJwOGrIU5SdEyyqY3Ath3iFmw1L8twCeMW8x wLGOgf+Etvh969wfXvAau4s= =S0ta -END PGP SIGNATURE- ___ Linux-users mailing list - http://linux-sxs.org/mailman/listinfo/linux-users Subscribe/Unsubscribe info, Archives,and Digests are located at the above URL.
Re: Klez at it again
I don't think the 'from' addresses are correct, they are spoofed. The subjects are made up, and the file attachments are random. wow. On Fri, 3 May 2002 23:03:26 -0400 Douglas J Hunley [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bill Day spewed electrons into the ether that resembled: I am also receiving klez'd emails from major places, i.e. driverguide.com, and have yet to receive any more klezd emaisl via linux-sxs.org Not to be arguin Bill, but you *never* should have gotten any from linux-sxs.org This setup has been turning them away from day one.. - -- Douglas J Hunley (doug at hunley.homeip.net) - Linux User #174778 Admin: Linux StepByStep - http://www.linux-sxs.org and http://jobs.linux-sxs.org Wishlist: http://www.amazon.com/o/registry/48D11KZ4BPBQ You realize we're all going to go to college as virgins. They probably have special dorms for people like us. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE8009+SrrWWknCnMIRAuLWAJwOGrIU5SdEyyqY3Ath3iFmw1L8twCeMW8x wLGOgf+Etvh969wfXvAau4s= =S0ta -END PGP SIGNATURE- ___ Linux-users mailing list - http://linux-sxs.org/mailman/listinfo/linux-users Subscribe/Unsubscribe info, Archives,and Digests are located at the above URL. -- Ken Moffat [EMAIL PROTECTED] ___ Linux-users mailing list - http://linux-sxs.org/mailman/listinfo/linux-users Subscribe/Unsubscribe info, Archives,and Digests are located at the above URL.
Re: Klez at it again
Scribbling feverishly on May 02, Gerry Doris managed to emit: [...] David, are you sure that it came from these lists? I'm subscribed to them too and I don't remember seeing any messages with the subject Troubleshooting. Klez messages have random headers. I'm seeing them also. Kurt -- Truth is the most valuable thing we have -- so let us economize it. -- Mark Twain ___ Linux-users mailing list - http://linux-sxs.org/mailman/listinfo/linux-users Subscribe/Unsubscribe info, Archives,and Digests are located at the above URL.
Re: Klez at it again
On Thu, 2 May 2002 20:15:15 -0400 (EDT) begin Gerry Doris [EMAIL PROTECTED] spewed forth: On Thu, 2 May 2002, David A. Bandel wrote: Folks, Please review the mail headers, someone on one of these lists has Klez. This is not really bounce message: 1. No Windoze here (much less Outhouse) 2. I don't think I know this e-mail address The Return-Path has most certainly been altered. But we can say that it originated on comcast.net: snip Subject: Undeliverable mail--Troubleshooting David, are you sure that it came from these lists? I'm subscribed to them too and I don't remember seeing any messages with the subject Troubleshooting. The message came direct to me, but since I don't recognize the icomcast.net address in the header, I suspect someone either currently or previously subscribed to a list I was on has the virus. Could be anyone, but I thought I'd start with the two lists I'm most active on. Klez headers are always altered (Return-Path:, Subject:, From:), but Klez can't alter what the mail servers put on the messages. So it definitely came from someone using comcast.net. That's about all we can say for the moment (and be correct). Ciao, David A. Bandel -- Focus on the dream, not the competition. -- Nemesis Racing Team motto ___ Linux-users mailing list - http://linux-sxs.org/mailman/listinfo/linux-users Subscribe/Unsubscribe info, Archives,and Digests are located at the above URL.
Re: Klez at it again
Currently whilst I setup my new linuxbox, I am using a winbox(via the newsgroup) rather than email, how ever, those using AVG must upgrade to version 351 and update their viri sigs as well. I am also receiving klez'd emails from major places, i.e. driverguide.com, and have yet to receive any more klezd emaisl via linux-sxs.org Douglas J Hunley [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David A. Bandel spewed electrons into the ether that resembled: Folks, Please review the mail headers, someone on one of these lists has Klez. This is not really bounce message: 1. No Windoze here (much less Outhouse) 2. I don't think I know this e-mail address fortunately, any mail passing through linux-sxs.org with klez will be caught. if anyone out there needs help in setting this up, please let me know! also, there's no more excuses folks. AVG is a free for personal use, Windows anti-virus package. check www.grisoft.com for details. granted, if you have klez, it attacks the anti-virus but then again, it may not know about AVG ;) - -- Douglas J Hunley (doug at hunley.homeip.net) - Linux User #174778 Admin: Linux StepByStep - http://www.linux-sxs.org and http://jobs.linux-sxs.org Wishlist: http://www.amazon.com/o/registry/48D11KZ4BPBQ Real Time, adj.: Here and now, as opposed to fake time, which only occurs there and then. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE80c/mSrrWWknCnMIRAtz7AKDU1uWSs7l1DfQRPfhAyiUYJiOwuACggIPN pZXUcLN7KFcGHigh8D1nR0M= =N9rI -END PGP SIGNATURE- --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/02 ___ Linux-users mailing list - http://linux-sxs.org/mailman/listinfo/linux-users Subscribe/Unsubscribe info, Archives,and Digests are located at the above URL.
Klez at it again
Folks, Please review the mail headers, someone on one of these lists has Klez. This is not really bounce message: 1. No Windoze here (much less Outhouse) 2. I don't think I know this e-mail address The Return-Path has most certainly been altered. But we can say that it originated on comcast.net: Return-Path: [EMAIL PROTECTED] Received: from mtaout06 (smtp.comcast.net [24.153.64.2]) by ns1.panamanow.com (8.12.1/8.12.1) with ESMTP id g42MgNGf001153 for [EMAIL PROTECTED]; Thu, 2 May 2002 18:42:23 -0400 Received: from Yhbqziql (pcp986188pcs.northw01.in.comcast.net [68.58.49.21]) by mtaout06.icomcast.net (iPlanet Messaging Server 5.1 HotFix 0.6 (built Apr 26 2002)) with SMTP id [EMAIL PROTECTED] for [EMAIL PROTECTED]; Thu, 02 May 2002 18:37:25 -0400 (EDT) Date: Thu, 02 May 2002 18:37:17 -0400 (EDT) Date-warning: Date header was inserted by mtaout06.icomcast.net From: postmaster [EMAIL PROTECTED] Subject: Undeliverable mail--Troubleshooting To: [EMAIL PROTECTED] Message-id: [EMAIL PROTECTED] MIME-version: 1.0 Content-type: multipart/alternative; boundary=Boundary_(ID_wi9KXBf+sfYB8WitpSrZWA) X-Spam-Status: No, hits=0.0 required=5.0 tests= version=2.01 Status: The following mail can't be sent to [EMAIL PROTECTED]: From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Troubleshooting The attachment is the original mail Attachments included the Klez virus (God, I'm getting tired of getting them, I've over 60 copies now). You don't have to fess up, just please reformat and reinstall your system, then put on all the patches and STOP USING OUTHOUSE! NOTE: Klez, when run, first disables antivirus software, deletes signature files from common AV programs, then installs itself as a service. You can't run, you can't hide, all you can do is reformat. Thanx, and sorry for the interruption. Now, back to our regularly scheduled programming, with Perl^H^H^H^HLinux. Ciao, David A. Bandel -- Focus on the dream, not the competition. -- Nemesis Racing Team motto ___ Linux-users mailing list - http://linux-sxs.org/mailman/listinfo/linux-users Subscribe/Unsubscribe info, Archives,and Digests are located at the above URL.
Re: Klez at it again
On Thu, 2 May 2002, David A. Bandel wrote: Folks, Please review the mail headers, someone on one of these lists has Klez. This is not really bounce message: 1. No Windoze here (much less Outhouse) 2. I don't think I know this e-mail address The Return-Path has most certainly been altered. But we can say that it originated on comcast.net: snip Subject: Undeliverable mail--Troubleshooting David, are you sure that it came from these lists? I'm subscribed to them too and I don't remember seeing any messages with the subject Troubleshooting. I'm really curious since I may have deleted it without reading it as I get so many messages that I usually scan the subjects and only read the interesting topics. If that's the case then mailscanner that is supposed to be checking for virii using F-Prot missed it. On the other hand mailscanner definitely didn't find a message with Klez in it either??? S, either the message didn't come in on these lists or mailscanner running on my system didn't catch the virus? Gerry -- The lyfe so short, the craft so long to learne Chaucer ___ Linux-users mailing list - http://linux-sxs.org/mailman/listinfo/linux-users Subscribe/Unsubscribe info, Archives,and Digests are located at the above URL.