[Vwdiesel] OT but concerning members of the vwdiesel list

Tue Aug 27 09:26:57 EDT 2002

James Hansen wrote:

> I've been getting them too Brian, but I had no idea they had attachments.
> My virus eater just flushes it all.  How is it you are seeing the files
> without getting infected yourself, as apparently Klez hides in copies of
> files for replication purposes, or is that wrong?  Yeah, but the daily klez
> files suck.  Have you been getting messages without any body, just a title,
> and that don't set off your virus eater?  I've been worried about that some
> as I am getting between one to five per day this way, full system virus scan
> shows no bugs...
> just checked, today's one from wormwiggler has a return path of
> backintime at triton.net

Many things are going on here.
1. You get an email that says klez was discovered on your computer from
another persons AntiVirus program, but your AV shows no virus and no
alert. - Klez captures email addresses on the infected computer and
sends email out with the virus under those addressees, so the infected
computer is almost never the email address in the from header. Since
that address may be yours, the AV program of the person receiving the
email notifies you that you have the virus, when you do not. In the case
of many of the alerts that I get on this list, it says the sender
(listserv) has the virus. The list does not have the virus. Someone with
the address of the list in their computer does. So it could be a current
or past member.

2. You get an email with Klez and your AV program notifies you it is an
attachment.- Follow the prompts of the AV program and delete the email.
If you want to quarantine it, fine, but there is nothing in it of
value... except

And do the following only if you are a bit computer/email literate.

3. If you want to find out where the email is actually coming from (only
the ISP but occasionally the actual email address) after the AV program
deletes the attachment (which is where the virus is located) you will
normally see a message without any text, just the from and to addresses
(or something saying the attachment was removed). If you are familiar
with looking at full headers, look for the last received from line in
the list and the ISP in the () is where the message originated. The
email address on that line is fake but the ISP cannot be faked. Use an
ISP lookup like whois to get the ISP name, address and often email
address. You can then send them the info from the header and they might
do something about it if they can ID the sending computer.

4. If you are really interested in seeing the virus, after the av
program kills it, you can look at the blank message and click on view
page source and you will se a load of garbage where the blank section
was. That is the payload of the virus. The executable was deleted by the
av program. The reason some see nothing and some see a block of letters
is in their email settings.

There are plenty of places where you can learn more about Klez. Symantic
has excellent info. If you are concerned, check there. They will also
scan your computer for free. Won't fix anything, just tell you if you
have a problem. Kles does disable your av program but there are tell
tale signs it has done so, like not being able to go to the av site.

In any case, most of the stuff we are getting from the list are annoying
but not a problem. It would be nice if those who continually send out
the alert, shut that off in their av program. It was a nice feature
until Klez came along. Now it is just an annoyance.

Bill T