Re[2]: A good tool: Win32.Klez worm sent by me via The Bat!?
AntiVir Personal Edition (today's update, newest version) unfortunately cannot detect even old viruses/trojan/worms, as Weird, Magistr etc are. I have found the same to be true. I have been using Avast! for quite some time. I have had excellent results since I turned off its tray-icon animation. And its updates are very small, far better if you are using a modem. -- Jonathan E. Brickman AIM JnBrickman; MSIM JnBrickman; Yahoo jonathanbrickman http://joshuacorps.org Current Ver: 1.60c FAQ: http://faq.thebat.dutaint.com Unsubscribe: mailto:[EMAIL PROTECTED] Archives : http://tbudl.thebat.dutaint.com Moderators : mailto:[EMAIL PROTECTED] TBTech List: mailto:[EMAIL PROTECTED]
Re: A good tool: Win32.Klez worm sent by me via The Bat!?
Hello Mike, On Friday, April 19, 2002 at 11:20:37 PM you wrote (at least in part): MH A colleague of mine has just received a message from me (without my MH knowledge of sending it) which appears to be related to the Win32.Klez MH worm. MH There was no attachment from me. MH How could this happen with TB? I don't use Outlook, and I thought that MH this worm exploited Outlook. I am VERY vigilant about attachments, and MH have TB! set up to not allow opening of MH *.COM,*.EML,*.CMD,*.JS,*.PL,*.BAS,*.JAVA,*.REG, MH *.EXE,*.VBS,*.PIF,*.SCR,*.SHS files. First: if TB! would have sent this message it will resist in your 'Sent' folder. Have a look there ... (Albeit I can't believe TB! has been sent it, have a look to be sure). Second: You write you're not _using_ Outlook. Do you have it installed anyway and maybe some aeons ago configured to work properly? Does Outlook (if installed) or Outlook Express have knowledge about your account data (name, e-mail-address, SMTP-server)? The 'Received:' headers look like it were your computer having sent this mail (same IP, sadly no HELO oder EHLO string :-( ). But there're 'In-Reply-To:' and 'References:' headers too ... quite unusual as even if the worm could have used MAPI-interface without you recognizing (which I can't imagine, btw) how should it know about the original message ID? It will have to be able to read the TB! message database format to figure out that ... and I've not read 'Klez' is able to do so ... You have written 'There was no attachment from me.' ... does that mean the recipient had no attachment in the mail? If so there's no 'Klez' issue we could talk about, as 'Klez' is spreading itself and not sending empty messages :-) To come to an end: I'd suggest updating the signature file and re-scan your whole system again. Installing a second AV-software would be also a good idea, in case there's a new variant of Klez around NAV has not yet in the signature file. E.g. http://www.free-av.com/ (which is _really_ slow over here) the (faster) direct download links are: Win9x http://www.free-av.de/personal/en/win9x/avwin9xp.exe Win2000/XP http://www.free-av.de/personal/en/winnt/avwinntp.exe -- Regards Peter Palmreuthermailto:[EMAIL PROTECTED] (The Bat! v1.60c on Windows 2000 5.0 Build 2195 Service Pack 1) Gone back into the darkness Current Ver: 1.60c FAQ: http://faq.thebat.dutaint.com Unsubscribe: mailto:[EMAIL PROTECTED] Archives : http://tbudl.thebat.dutaint.com Moderators : mailto:[EMAIL PROTECTED] TBTech List: mailto:[EMAIL PROTECTED]
Re: A good tool: Win32.Klez worm sent by me via The Bat!?
Hello Peter, Thanks very much for your reply. First: if TB! would have sent this message it will resist in your 'Sent' folder. Have a look there ... (Albeit I can't believe TB! has been sent it, have a look to be sure). I believe you are correct.. it was not in my sent folder. I have been looking for more information on this worm and I read on alt.comp.virus that it forges the From header, making it look as though it came from an individual. Second: You write you're not _using_ Outlook. Do you have it installed anyway and maybe some aeons ago configured to work properly? Does Outlook (if installed) or Outlook Express have knowledge about your account data (name, e-mail-address, SMTP-server)? Outlook had been installed when my laptop was initially configured by the computer folks at work. I've never actually started it up or configured it; I've used TB! for a few years. You have written 'There was no attachment from me.' ... does that mean the recipient had no attachment in the mail? If so there's no 'Klez' issue we could talk about, as 'Klez' is spreading itself and not sending empty messages :-) She originally indicated that there was no attachment, and upon reexamining it in her trash folder (of her Outlook program), said there was one. She deleted it without taking note of its name or extension. To come to an end: I'd suggest updating the signature file and re-scan your whole system again. Installing a second AV-software would be also a good idea, in case there's a new variant of Klez around NAV has not yet in the signature file. Thanks. I registered KAV (because of its integration with TB!), and scanned my system. It identified Exploit.IFrame.FileDownload in the trash folder of TB! (I had deleted the message that she had sent me, which had a copy of the original message that I was alleged to have sent her). Interestingly, I had set KAV to delete infected files, and it deleted all the messages in the trash (not a huge problem obviously, but I usually keep 5000 messages there). -- Regards, Mike Using The Bat! 1.60d under Windows 98 4.10 Build A = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Mike Harlos Winnipeg, Manitoba, Canada PGP Keys: DH/DSS- 0x8CD85BCERSA- 0xBBDB40B1 = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Current Ver: 1.60c FAQ: http://faq.thebat.dutaint.com Unsubscribe: mailto:[EMAIL PROTECTED] Archives : http://tbudl.thebat.dutaint.com Moderators : mailto:[EMAIL PROTECTED] TBTech List: mailto:[EMAIL PROTECTED]
Re: A good tool: Win32.Klez worm sent by me via The Bat!?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sat, 20 Apr 2002, at 18:31:39 +0200 Peter wrote: PP Win9x http://www.free-av.de/personal/en/win9x/avwin9xp.exe AntiVir Personal Edition (today's update, newest version) unfortunately cannot detect even old viruses/trojan/worms, as Weird, Magistr etc are. Mandara - -- (__) If you need this key: ('') mailto:[EMAIL PROTECTED]?subject=0x257DFF36 \/ -BEGIN PGP SIGNATURE- iD8DBQE8wkeKvgcu6yV9/zYRAvGdAJ4nIN0nyqRVl2VVP+sDB/UZWS31ewCePhUB bJMg1vAB/1UhpeEwI56O4Ww= =R6Ml -END PGP SIGNATURE- Current Ver: 1.60c FAQ: http://faq.thebat.dutaint.com Unsubscribe: mailto:[EMAIL PROTECTED] Archives : http://tbudl.thebat.dutaint.com Moderators : mailto:[EMAIL PROTECTED] TBTech List: mailto:[EMAIL PROTECTED]
A good tool: Win32.Klez worm sent by me via The Bat!?
Hi, A colleague of mine has just received a message from me (without my knowledge of sending it) which appears to be related to the Win32.Klez worm. There was no attachment from me. How could this happen with TB? I don't use Outlook, and I thought that this worm exploited Outlook. I am VERY vigilant about attachments, and have TB! set up to not allow opening of *.COM,*.EML,*.CMD,*.JS,*.PL,*.BAS,*.JAVA,*.REG, *.EXE,*.VBS,*.PIF,*.SCR,*.SHS files. It appears that I have somehow been infected, though NAV has not picked up anything. The following includes the original message. Where you see X is where I have tried to avoid posting her contact info publicly: +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Delivered-To: XX Received: from outbox.attcanada.ca (outbox.attcanada.ca [207.245.244.41]) by fep6.cogeco.net (Postfix) with ESMTP id 07EEB6D5E for XX; Fri, 19 Apr 2002 16:29:07 -0400 (EDT) Received: from win-mb50-139.netcom.ca (win-mb50-139.netcom.ca [216.191.162.11]) by outbox.attcanada.ca (Postfix) with ESMTP id 4567332E2 for XX; Fri, 19 Apr 2002 16:29:06 -0400 (EDT) Date: Fri, 19 Apr 2002 15:29:05 -0500 From: Mike Harlos [EMAIL PROTECTED] X-Mailer: The Bat! (v1.60d) Reply-To: Mike Harlos [EMAIL PROTECTED] X-Priority: 3 (Normal) Message-ID: [EMAIL PROTECTED] To: XX Subject: Re: A good tool In-Reply-To: [EMAIL PROTECTED] References: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bitriginal Message- From: Mike Harlos [mailto:[EMAIL PROTECTED]] Sent: April 19, 2002 4:29 PM To: XX Subject: Re: A good tool This is a good tool I expect you would like it. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -- Regards, Mike Using The Bat! 1.60d under Windows 98 4.10 Build A = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Mike Harlos Winnipeg, Manitoba, Canada PGP Keys: DH/DSS- 0x8CD85BCERSA- 0xBBDB40B1 = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Current Ver: 1.60c FAQ: http://faq.thebat.dutaint.com Unsubscribe: mailto:[EMAIL PROTECTED] Archives : http://tbudl.thebat.dutaint.com Moderators : mailto:[EMAIL PROTECTED] TBTech List: mailto:[EMAIL PROTECTED]