[Vwdiesel] The KLEZ confusion

Bill Truesdell bhfarms at suscom-maine.net
Tue Jul 9 10:44:43 EDT 2002 

Sandy is right.

The hits that you get from Klez have nothing to do with the address of
the sender. The virus harvests addresses from the infected computer and
sends itself out using the addresses it harvested. I got a call from a
friend asking why I sent a mysterious message. I never sent it. But was
able to track down the person (a friend) whose computer was infected by
the last received from and notified them.

It is a nasty virus. By some estimates, over 30% of all email is because
of Klez mailing itself out. It also sends itself as a returned message
or as a fix to the virus- where it tells you to disregard virus alerts
since it will "protect you forever".

BTW. You can be infected if you have older versions of MSIE, which is
how my friend got infected. He never opened an attachment but got it
anyway, so if you use MSIE, update it to the latest version, or use
Netscape or Mozilla.

All the, what I consider dumb, virus alerts to the list are problems
with some antivirus programs which also flood the internet with useless
massages since the virus did not come from the address on the email. The
reason I say dumb, is that many other viruses dummy the from address so
the messages will just bounce. It is a feature that has lost its
usefulness and should be shut down. Sort of like keeping your turn
signal on all the time in anticipation of a possible turn, instead of
turning it on when needed.

Bill T

Sandy Cameron wrote:
>
> This virus causes the loss of good friends because it sends itself from
> computers operated by unknowing users that have been infected, who don't
> have virus protection software and probably don't know they are infected.
>
> It ALWAYS fakes a sender address, usually captured from a previous visit to
> another computer, from the address lists it finds there, and carries forward
> to the dummy computer it is sending from.
>
> As someone here observes, the sender field is useless as a source ID, but
> the ISP ID number is probably true, and if you are mad enough about it, you
> could seek redress from the ISP it came from.
>
> The only way we will stop getting the hits on the group, is when someone
> discovers they have the virus (and they are NOT likely to be a group member)
> and cleans it up.
>
> ANYBODY who has your email address in their computer can be a remail point.
>
> Symantec (do a google on KLEZ) has an excellent description of how it works,
> and a downloadable free utility for cleaning it out of a computer.
>
> Most firewall programs kill it on arrival (Mine,- PC-Cillin works instantly)
>
> I use a text-only (Eudora lite) mail pgm, and coupled with PC-cillin, keeps
> the house clean.
>
> It would be regressive to trash a group or it's owner because it is
> effectively dealing with a preventable nuissance. DELETE and move on.
>
> Sandy
>
> _______________________________________________
> vwdiesel mailing list
> vwdiesel at vwfans.com
> http://www.audifans.com/mailman/listinfo/vwdiesel

More information about the Vwdiesel mailing list