[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Subject Index][Author Index]

RE: Possible Virus --> Re: Sos!

To: <david.marjanovic@gmx.at>, <dinosaur@usc.edu>
Subject: RE: Possible Virus --> Re: Sos!
From: "Allan Edels" <edels@msn.Com>
Date: Tue, 30 Apr 2002 19:09:11 -0400
Cc: "Josh Smith $Josh Smith$" <smithjb@sas.upenn.edu>
In-reply-to: <001101c1f072$fe2bb5e0$b4432fd5@chello.at>
Reply-to: edels@msn.Com
Sender: owner-dinosaur@usc.edu

Regarding the virus: 

Norton AntiVirus 2002 reports that it is the KLEZ virus.  

I emailed Josh, and he did NOT send any email to the Dinosaur Mailing
List.  

Here is information about the virus (from Symantec):

        W32.Klez.gen@mm is a mass-mailing worm that searches the 
        Windows address book for email addresses and sends messages to 
        all recipients that it finds. The worm uses its own SMTP engine
to send 
        the messages.

        The subject and attachment name of incoming emails is randomly 
        chosen. The attachment will have one of the following
extensions: 
        .bat, .exe, .pif or .scr.

        The worm exploits a vulnerability in Microsoft Outlook and
Outlook 
        Express in an attempt to execute itself when you open or even 
        preview the message. Information and a patch for the
vulnerability can be    found at
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp. 
        W32.Klez.gen@mm attempts to copy itself to all network shared
drives 
        that it finds.

        Depending on which variant of the worm, the worm will drop one
of 
        the following viruses:
                W32.Elkern.3326
                W32.Elkern.3587
                W32.Elkern.4926
        which will then infect the system.

        Email spoofing
        Some variants of this worm use a technique known as "spoofing."
If it 
        does this, it chooses at random an address that it finds on an
infected        computer as the "From:" address that it uses when it
performs its 
        mass-mailing routine. Numerous cases have been reported in which

        users of uninfected computers receive complaints that they have 
        sent an infected message to someone else.

        For example, Linda Anderson is using a computer that is infected
with    W32.Klez.E@mm; Linda is not using a antivirus program or does
not 
        have current virus definitions. When W32.Klez.gen@mm performs
its     emailing routine, it finds the email address of Harold Logan. It
inserts         Harold's email address into the "From:" line of an
infected email that 
        it then sends to Janet Bishop. Janet then contacts Harold and
complains 
        that he sent her infected email, but when Harold scans his
computer, 
        Norton AntiVirus does not find anything--as would be
expected--because 
        his computer is not infected.

        If you are using a current version of Norton AntiVirus, have the
most 
        recent virus definitions, and a full system scan with Norton
AntiVirus 
        set to scan all files does not find anything, you can be
confident that 
        your computer is not infected with this worm.

Someone, somewhere, who has the DML as an address in their address book
is infected with this virus.  Possibly more than one person.

Allan Edels 

-----Original Message-----
From: owner-dinosaur@usc.edu [mailto:owner-dinosaur@usc.edu] On Behalf
Of David Marjanovic
Sent: Tuesday, April 30, 2002 2:15 PM
To: dinosaur@usc.edu
Subject: Re: Possible Virus --> Re: Sos!

> Our mail server whacked this, claiming "Stats.scr" is a possible
> virus.

Norton Antivirus, updated a few days ago, immediately stroke and
suggested
to repair the infected file.

References:
- Re: Possible Virus --> Re: Sos!
  - From: "David Marjanovic" <david.marjanovic@gmx.at>

Prev by Date: Re: Avimimus in the Process of Revising Hou et al.
Next by Date: Re: eumaniraptoran systematics (was Re: Revising Hou et al, 96 (very very lon...
Previous by thread: Re: Possible Virus --> Re: Sos!
Next by thread: Protoceratops hellenikorhinus images
Indexes: