I'm having problems with the Klez virus. I think it's infected one of my boxes, I keep getting returned infected mail. (not anyone I know, just seems to be arbitrary addys)

I took all my boxes down last night and scanned them with a Klez virus detector from Symantec's web site. All my boxes reported clean but just to be safe, I remove Outlook Express from all machines. My main machine that I send and receive e-mail on is protected with Norton Antivirus 2002. It is catching the incoming infected virus so I don't know what's going on.

I am getting a lot of returned e-mails, some with attached messages from network adminstrators telling me that I mailed them infected e-mails.

Anyone got any ideas what else to do at this point?

The klez virus spoofs your email address making people think it came from you when it didn't. As long as NAV 2002 is up to date and you did a scan and are clean it's not on your pc.:)

Hey Goob,
I don't believe that you are infected...
What happens with Klez is say:

Tom in infected with Klez, Abe and Goobie are in Tom's email addresses, Klez send Goobie a letter from Abe, if you follow...
Neither Goobie nor Abe is infected, they were merely in Tom's infected email, and hoping that you open it up so you will then become infected...
These come from "Webmaster", just about anyone....



I will send you to Security and see what those guys say...
l8rz,
Ken

I wonder where the spammers got my addy from? It's being sent to my private e-mail, not the public one I use on the forums. :confused:

Originally posted by goobee
I wonder where the spammers got my addy from? It's being sent to my private e-mail, not the public one I use on the forums. :confused:

Someone that has your private addy, also has Klez... ;)
And it is not coming from the person that is sending you the email with it...

Do not open it, but post the full email header... Black out your personal addy! Or send it to me in a PM...

I don't even know any of these bastards. <xxx@earthlink.net is my despammed addy>

Status: RO
Return-Path: <latinanita@earthlink.net>
Received: from gull.mail.pas.earthlink.net ([207.217.120.84])
by cuckoo (EarthLink SMTP Server)
with ESMTP id 17uXrc6tn3NZFmU0 for <xxx@earthlink.net>;
Wed, 17 Jul 2002 15:38:26 -0700 (PDT)
Received: from lsanca1-ar7-4-43-218-156.lsanca1.elnk.dsl.genuity.net ([4.43.218.156] helo=Mvwkem)
by gull.mail.pas.earthlink.net
with smtp (Exim 3.33 #1) id 17UxR4-0002ij-00 for xxx@earthlink.net;
Wed, 17 Jul 2002 15:38:18 -0700
From: John212 <John212@rochester.rr.com>
To: xxx@earthlink.net
Subject: Worm Klez.E immunity
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=Yc6Zb6cT0L94jtB40gR
Message-Id: <E17UxR4-0002ij-00@gull.mail.pas.earthlink.net>
Date: Wed, 17 Jul 2002 15:38:18 -0700

Bear with me a few, K... ;)

K

K, Let's get a Klez background:

http://www.itd.umich.edu/virusbusters/klez.html

http://www.overclockersclub.com/cgi-bin/viewnews.cgi?id=EpEApZyAyFRHWjcWim

http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.h@mm.html

http://vil.mcafee.com/dispVirus.asp?virus_k=99455

http://www.sophos.com/virusinfo/analyses/w32klezg.html


K, now about the email addy spoofing:

http://www.wired.com/news/technology/0,1282,52174,00.html

http://www.theregister.co.uk/content/56/25542.html

http://www.itd.umich.edu/virusbusters/suspicious_attachment.html

http://spamcop.net/fom-serve/cache/19.html

K, How to read an email header:

http://www.stopspam.org/email/headers/headers.html

http://help.mindspring.com/docs/006/emailheaders/

http://pobox.com/headers.html

http://www.uic.edu/depts/accc/newsletter/adn29/headers.html

I can't find the link that I wanted... :(

Wow, thanks Ken. It's gonna take me a while to go through all the links.

Wife's calling me to bed, Goob! ;)

Those links should get you going on the right road...

Let me know if I can assist you in any way. These other guys that cruise through may add some info for ya... They are a good group of guys! :)
l8rz,
Ken

G'nite bud. :)

Was it one of these Ken? Say hi to Rosa.

http://massvva.com/spoof.html

http://www.ucolick.org/~de/webmaster/UCE.html

http://members.ozemail.com.au/~chisel/antispam/antispam2.html

http://email.about.com/library/series/blspam_series.htm


Croc.