Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Bug

Klez, The Virus that Keeps on Giving 686

kylus writes "Wired is running a story about the continued escapades of the Klez virus, and the damage--both to finances and reputations--that it is leaving behind. Between emails from a dead friend and porno spam appearing to be sent from a priest, I think "Don't Believe the 'From' Line" is the correct lesson." God bless microsoft email viruses. I'm on a modem for a few weeks and downloading countless megs of mail viruses is extremely frusterating. Course I'm still getting sircams.
This discussion has been archived. No new comments can be posted.

Klez, The Virus that Keeps on Giving

Comments Filter:
  • by Vicegrip ( 82853 ) on Tuesday April 30, 2002 @02:30PM (#3437674) Journal
    May they spend the rest of eternity having to listen to Oral Roberts sermons
  • Scripts (Score:3, Insightful)

    by Anonymous Coward on Tuesday April 30, 2002 @02:31PM (#3437683)
    Hrm, I can't think of any practical uses of scripting in emails anyway. Can anyone help me out?
    • Re:Scripts (Score:4, Insightful)

      by grahamsz ( 150076 ) on Tuesday April 30, 2002 @02:37PM (#3437738) Homepage Journal
      So targetted marketing campaigns can track which users look at what and for how long.
    • Re:Scripts (Score:3, Insightful)

      by phyxeld ( 558628 )
      Hrm, I can't think of any practical uses of scripting in emails anyway. Can anyone help me out?

      Microsoft hasn't gotten rid of scripting in Outlook because it's required for nasty email viruses like Klez to spread, which in turn allows microsoft to step in and "save the day", which leads to news headlines like "Microsoft releases latest Outlook security patch [cnn.com]", "Microsoft patch to block "Love"-like viruses [com.com]", and, my favorite, "Microsoft to secure e-mail [cnn.com]".

      To the average schmoe who doesn't realize these viruses are only possible because of microsoft's stupidity, it would appear that microsoft is valiantly fighting the inevitable battle against nasty virus-writing hackers.

      </conspiracy theory>

      Or maybe they're really just so stupid that they think scripting in emails is such a great feature it's worth putting up with all this bullshit. If you ask me, HTML email isn't even needed. Plain ol' text usually works fine for me; most of the HTML emails I get are spam and the few that aren't usually have a text/plain version as well.

      Notice that the last article I linked to sounds like a pretty solid fix: Users will be suposedly prompted before any emailed scripts do anything, and given a yes/no dialog to stop them from doing anything bad. Seems like a good idea. Unfortunetly, that article is dated June 2000, so clearly it didn't work out... Anyone know what the deal with that is?
      • Re:Scripts (Score:3, Informative)

        by afidel ( 530433 )
        Actually it's because some very large clients with tens of thousands of seats have built entire middleware on exchange/outlook. Things like a remote salesman gets a PO from a client, they go into a product catalog in their web browser, it creates the order, places it in their outbox, then when they get in the office it fires the email which automatically gets routed based on rules on the exchange side of things (like if over x million skip a few middle managers etc). Nowadays most of this would be done with intranets and java middleware driving the business logic, but for companies that have tens of millions invested in their solutions they don't want outlook to go back to being an email client.
  • by brooks_talley ( 86840 ) <brooks@@@frnk...com> on Tuesday April 30, 2002 @02:32PM (#3437689) Journal
    Try operating a legit, non-spamming adult site that's worked hard for years to get a decent reputation, only to have klez emails that appear to come from your customer support email address.

    People are going to believe a priest when it's explained that it was a virus; nobody is going to believe a legit company that's operating in an industry where so much spam originates.

    Argh.
    -b
    • Why are you going to believe the priest was innocent?

  • by Nos. ( 179609 ) <`ac.srrekeht' `ta' `werdna'> on Tuesday April 30, 2002 @02:34PM (#3437711) Homepage
    After getting infected with sircam (My mcafee wasn't updating or scanning properly for some reason) I decided to say screw it, and start scanning email on my server. Now, anything that comes in, gets scanned firts. If f-prot can't find anything, then it gets delivered, otherwise it never show up in my inbox. If you want a look at what I did, check out my scanner [iamnos.ca].
    • Try qmail-scanner (Score:4, Informative)

      by Havokmon ( 89874 ) <rick@NospAm.havokmon.com> on Tuesday April 30, 2002 @02:39PM (#3437765) Homepage Journal
      Qmail Scanner [sourceforge.net] uses the qmailqueue patch, supports your favortite virus scanner (FProt free for Linux), MIME decoding, and hacked up MS email.

      Works wonders

    • My company started scaning all incoming email at the fire wall too. It was going fine until some numb-skull decided to download an attachment from his Hotmail account. Once opened inside the network, it did its dirty work.
      • It was going fine until some numb-skull decided to download an attachment from his Hotmail account. Once opened inside the network, it did its dirty work.

        Use Opera, it doesn't work with Hotmail's download script.

        What a pleasant side-effect. I removed IE [98lite.net] to stop Viruses from auto-executing, and also happend to stop another potential source of viruses. :) And of course, desktop scanners are a must.

    • I tried this solution for a while too, but finally gave up on trusting the anti-virus vendors. After I got burned a few times by Norton coming out with an upgrade 2 hours AFTER I got infected, I stopped relying on it. I'm currently using the Email Sanitizer [impsec.org] on my mail gateway. Instead of looking for virii (which will always be a try-to-stay-one-step-ahead-of-the-bad-guys type setup) I just have a list of attachments I don't allow. These happen to include all of the attachments that windows will execute on a double-click. I've gotten probably 400 klez for my domains over the last few weeks, and every one of them has been blocked. Since 99% of the virii that come into my network come through email, this has all but eliminated our problems.
      • Actually that's a hell of an idea, and wouldn't be that hard to implement on my perl scanner. The thing I wanted was no big patches to apply (I had probelms with the qmailqueue patch). Is there a list of attachments somewhere I should look at (obviously .scr .vbs etc.)? Have to admit I did have a problem once with f-prot. I used to be able to ftp to f-prot.com but they changed it so I had to use ftp-f-prot.com but a quick update of my script file and it started auto-updating again.
      • by ScoLgo ( 458010 ) <scolgo@@@gmail...com> on Tuesday April 30, 2002 @03:55PM (#3438365) Homepage
        After I got burned a few times by Norton coming out with an upgrade 2 hours AFTER I got infected, I stopped relying on it.

        This is the whole problem with anti-virus software. Your best defense is your brain, not relying on someone else to write a defense program for you.

        I have a novice friend who recently asked me about viruses. He runs Win98, IE5, OE5. I helped him with security settings and explained the significance of file extensions to him. Even my beginner buddy easily understood that having a secondary extension on an e-mail attachment is a red flag to not open that attachment. That knowledge, along with some logical security settings, (scripting host 'off', please), is your best defense against these viruses. My brother-in-law OTOH, opened a virus recently and is waiting for me to come over and clean it off for him. It's an 80-mile drive so I think I'll let him stew for a couple days. Hopefully, he's learned his lesson.

        Sidebar - One of the biggest complaints I have about the default Windows install is that it hides extensions of known file types. Who was the genius at Microsoft that made that decision?

    • MIMEDefang (Score:2, Interesting)

      by dskoll ( 99328 )
      MIMEDefang [roaringpenguin.com]
      stopped Klez cold at my clients' sites.
    • The real problem is that Klez is emailing itself from an infected machine to a flood of people using your and my email address in the From: line. Not only does this cause a ton of people to respond to you and me saying "you must have a virus" or thinking that we really think that this penis enlargement solution works (or that we need one) -- but, it distributes your email address to others who may potentially get infected themselves, who may in turn infect others. Next thing you know, your email address that you've been so diligent about keeping somewhat private is inundated with spam and viruses.
  • Save your bandwidth (Score:5, Informative)

    by shepd ( 155729 ) <slashdot.org@gmail.COMMAcom minus punct> on Tuesday April 30, 2002 @02:36PM (#3437733) Homepage Journal
    telnet mail.xyz.com 110

    user (username)
    pass (password)
    list
    top (number of message to check) (kb to read)
    dele (message to delete)
    retr (number of message to read entirely)
    quit

    Quicker, cheaper, easier. This was one of the best tips I got from a friendly sysadmin. :)

    Of course, I would ask why CmdrTaco didn't check the RFC [faqs.org], but hey, who am I to question slashdot's leader? ;)
    • by elefantstn ( 195873 ) on Tuesday April 30, 2002 @03:13PM (#3438064)
      Of course, I would ask why CmdrTaco didn't check the RFC...


      Because it doesn't work if you spell all the commands wrong.
    • by rediguana ( 104664 ) on Tuesday April 30, 2002 @03:17PM (#3438082)
      If you want a pretty windoze gui for doing the same thing, and free as in 'beer' / nagware, try Mailwasher [mailwasher.net]. The ability to bounce spam and delete virii from POP boxs before downloading, not to mention dickheads who send huge emails is very useful. It has saved me numerous times.
    • by SysKoll ( 48967 )

      I totally agree, it's how I check my email from friends' machines when said friend does not want me to mess up with his POP account setup.

      However, it is time consuming to view each message this way.

      Small remark: the TOP command takes as arguments the message number and the number of lines (not the number of kilobytes) to display.
      TOP 1 20
      will display the first twenty lines of message 1.

  • by Anonymous Coward on Tuesday April 30, 2002 @02:36PM (#3437734)

    They infect or have infected 7.2% of all computers. (more than any other virii)

    A windows version for cleaning your pc of Klez. [kaspersky.ru] (and removes Nimbda, Melissa, etc.)
  • by gurth ( 183603 ) on Tuesday April 30, 2002 @02:37PM (#3437739)
    The number of virus alerts I get from my mail gateway has been inundated with Klez for the last week or so. Identifying remote infections was at least possible with Magistr variants, as it only did minor iterative changes to email addresses. Klez lives on an entirely different stratum of nuisance.
  • The average user? (Score:5, Insightful)

    by marekk ( 572361 ) on Tuesday April 30, 2002 @02:38PM (#3437747)
    From the Wired article:
    "Anytime you have a virus that is not easily identifiable visually, it tends to linger," Rod Fewster, Australian representative for antiviral application NOD32, said. "SirCam and Klez both vary the subject lines of the e-mails they send, which makes it hard for the average user to spot."
    Unfortunately, I'm sure the average user can't spot any e-mail viruses, let alone ones that change their subject line. While Outlook/Outlook Express greatly facilitates the spread of these viruses, a large part of the problem lies in the fact that too many people click on attachments and/or don't run proactive AntiVirus software on their system.
  • by Malc ( 1751 ) on Tuesday April 30, 2002 @02:38PM (#3437755)
    "Course I'm still getting sircams"

    I've been working for 2.5 years for a company that uses Exchange and Outlook. Most of my friends and colleagues use Outlook or Outlook Express at work and home, although I still use Netscape for personal stuff. I've received 2 email viri ever, and neither of them were the "common" ones like Melissa or SirCam. It leaves me wondering if people are making a big fuss out of nothing, and being a bit sensationalist or simply an anti-Microsoft bigot.
    • by ttyp0 ( 33384 ) on Tuesday April 30, 2002 @02:46PM (#3437843) Homepage
      Quite common. If you just sit and post on slashdot all day, then no, you probably aren't much of a target for virii. However, I run 3 large websites, active on 10 mailing lists and send close to 50 emails a day. My email address is spread all over the Internet like a bad case of herpes. In return I get close to 30 - 40 infected emails a day. That was before I installed a virus scanner on my mail server.
    • It leaves me wondering if people are making a big fuss out of nothing [...]

      One of our marketing folks sent Klez to our press-release mailing list.

      My mother-in-law got a message about the "sulfnbk virus", and my wife "cleaned up" our PC. Too bad it's not a virus, just a standard Windows file. (Although in a sense it's a virus, it just infects the users who unsuspectingly do damage to their system!) It's starting to be a good argument for me to switch to Linux...
    • For work I communicate with a large number of Pakistani, Indian, and Middle Eastern students and student wanna-be types. I get flooded with whatever virus is current...
    • by Anonymous Coward
      As I work for an AV firm that deals with email protection I'll respond as a Coward to protect my employer.

      I'd have to say that the sheer number of customers who are calling in still dealing with nimda adn magistr are alarming enough, without the numbers that are infected with KLEZ.

      This is not scare mongering, or anti-MS bantering.

      These email viruses are as pervasive as we are being led to believe and given the right payload, as dangerous, I'd have to say that given the number of people who find themselves infected it will 0nly take ONE really evil virii creator to make some form of uber zombie ddos.

      Nimda didn't sustain category 4 for as long as Klez has.
  • Mailing-lists (Score:4, Interesting)

    by chrysalis ( 50680 ) on Tuesday April 30, 2002 @02:39PM (#3437767) Homepage
    The worst thing about that virus is that it has massively hit a lot of mailing-lists.

    Interesting threads on mailing lists died because of this. People got insulted although they didn't send anything. A lot of people unsubscribed from mailing-lists due to this.

    So people installed antivirus software, personal firewalls, etc. The result was that on mailing-list, instead of having tons of viruses, we got tons of "alert: you have sent a virus, it has been removed by our robot", that is as frustrating as the original virus.

    Thanks a lot to Microsoft for being responsible of the most annoying viruses so far.


    • Re:Mailing-lists (Score:4, Insightful)

      by gwernol ( 167574 ) on Tuesday April 30, 2002 @02:54PM (#3437919)
      Thanks a lot to Microsoft for being responsible of the most annoying viruses so far.

      Isn't that a bit like holding Napster responsible for all theft of music that happens on its systems, or the manufacturers of CD-RW drives for all software piracy done on their machines? That's the argument used by the supporters of DCMA and other nasty bills that outlaw fair use.

      The scum-wad(s) who wrote the virus are responsible for its actions. Microsoft should do a better job of writing secure software, but the primary responsibility lies with the virus writer. Any responsibility born by Microsoft is equalled by the responsibility born by those users who don't apply security updates and don't run up-to-date firewall and virus checking software.
      • Re:Mailing-lists (Score:2, Insightful)

        by shades66 ( 571498 )
        >Microsoft should do a better job of writing secure software

        Exactly and that is why everyone makes comments because it is always (well 9 out of 10 at a guess) a microsoft feature/bug that allows the virus's to spread like wildfire.

        Mark.
      • Re:Mailing-lists (Score:3, Insightful)

        by tswinzig ( 210999 )
        Isn't that a bit like holding Napster responsible for all theft of music that happens on its systems, or the manufacturers of CD-RW drives for all software piracy done on their machines? That's the argument used by the supporters of DCMA and other nasty bills that outlaw fair use.

        If Microsoft hadn't enabled braindead default settings in Outlook/Outlook Express, things wouldn't be as bad as they are. Most of these viruses exploit holes in versions of Outlook/OE that are very popular. Sure, there are patches, but try getting people to install them. Then they have to reinstall Windows for some reason, they put OE or Outlook back on, and leave it unpatched.

        Microsoft will continue to get hammered over this until Outlook XP and subsequent versions reach critical mass, because those versions have some sane defaults (including not allowing any access to executable attachments finally!).
      • Re:Mailing-lists (Score:3, Interesting)

        The scum-wad(s) who wrote the virus are responsible for its actions. Microsoft should do a better job of writing secure software, but the primary responsibility lies with the virus writer.

        Who should bear responsibility, the architect who designs and builds 95% of houses in the world pre-installed with piles of oily rags, kindling and soaked in kerosene, or the pissy little vandal who finally threw one match?

        Shared responsibility between Microsoft and the vandals. Obviously. But Microsoft methodically lies about how secure their products are. At least the vandal's motives are plain and honest.
      • Re:Mailing-lists (Score:3, Insightful)

        by ewhac ( 5844 )

        Isn't that a bit like holding Napster responsible for all theft of music that happens on its systems, or the manufacturers of CD-RW drives for all software piracy done on their machines?

        No, it's not.

        "Those who do not understand UNIX are doomed to reinvent it, poorly."

        -- Henry Spencer

        Computer science and computer security experts have been saying for years that Micros~1 hasn't got the first fscking clue when it comes to writing solid, reliable, secure code. This despite the fact that there have been several examples of, if not ideal solutions, good first approaches to the problem. Indeed, to create WinNT, Microsoft snarfed the VMS team from DEC, a bunch of guys who understood those principles.

        And yet, despite the mountains of examples both within and without the company, despite the millions of computers blue-screening every damned day, Microsoft willfully persists in making the same stupid mistakes.

        As is well-known, Word macro viruses were a big problem in years past. This was because Microsoft made a series of impossibly moronic decisions:

        • To incorporate a macro facility into Word directly (rather than as an external engine driven by IPC protocols, where access controls can be applied in a uniform manner),
        • To embed the macros into the Word documents directly, rather than as separate macro files (thus making it impossible for the user to distinguish between a normal document and an "active" one),
        • To set the default condition to run the macros automatically upon document loading, without informing the user,
        • To, by default, not inform the user that any of this idiocy was going on.

        Okay, fine, so Microsoft got bitten by their would-be cleverness, but they cleaned up their act, right? They learned their lesson, right?

        No. Not only did they refuse to acknowledge that they had fscked up royally, they went and deliberately committed the same errors again and again:

        • Not only does IE uncritically implement JavaScript, it also throws in Visual Basic scripting and ActiveX, all of which are turned on by default. This condition is identical to that which propogated the Word macro virus fiasco. Even their "secure" execution environments hasn't prevented hostile Web sites from hijacking the browser.
        • Outlook likewise, without user intervention, will extract and launch embedded content while simultaneously hiding it from the user. The damn thing doesn't even check to make sure the MIME type and the filename extension are consistent.

        There's a term for this kind of behavior: Willful negligence. Oh, you can point out that there are security update downloads. But you can't ignore the fact that, if Microsoft had followed basic security principles, if they had learned from their own history -- hell, if they'd even extended common courtesy to their users -- this sort of thing wouldn't have happened in the first place.

        This isn't an honest mistake. This is a pattern with over twenty years of history behind it.

        Any responsibility born by Microsoft is equalled by the responsibility born by those users who don't apply security updates and don't run up-to-date firewall and virus checking software.

        I agree that uneducated users are a big problem. But, especially with the advent of broadband connectivity, what Microsoft has effectively done is to give a loaded Uzi with the safety off to eight-year-olds, and then fail to train them in its use or even tell them where the safety lock is.

        Microsoft touts its products as turnkey, ready-to-go, fire-and-forget, no setup, no configuration, no need to learn computer-ese, just sit down and become productive immediately. This is misleading in the extreme. Training is required; proper configuration is required (because Microsoft keeps setting the defaults wrong). As such, I feel Microsoft bears a significant burden of responsibility for the havoc their software has wreaked on the Internet.

        Schwab

  • by Gizzmonic ( 412910 ) on Tuesday April 30, 2002 @02:40PM (#3437772) Homepage Journal
    to use a Mac.
    • I've been getting the wierdest little pictures from this latest virus. I dunno if they are swiped from someones drive or part of the virus itself.
    • Using a Mac (or, in my case, Linux) isn't going to help you. The problem isn't that you get infected with the virus, it's that other people who are infected are going to either:

      1. Send you tons of mail with huge attachments

      or

      2. Send other people tons of mail with huge attachments and list you as the return address
  • Typical. (Score:5, Interesting)

    by scrytch ( 9198 ) <chuck@myrealbox.com> on Tuesday April 30, 2002 @02:40PM (#3437773)
    The patch that prevents this has been out for over a year now. It's downloadable here [microsoft.com]. Microsoft included the patch with IE6 and IE5 SP2, so if you have either, you don't need it.

    Good dose of blame goes all around here.
    • Re:Typical. (Score:2, Informative)

      by feldkamp ( 146657 )
      Careful... even if you have this patch, you can still get the virus from an exe on your network. This happened to me at work. All because I was a couple weeks behind updating my virus definitions... :(

      All it taks is one doofus down the hall who opens that infected screen-saver file, or exe, com, etc. in his email to cause you a ton of grief.
  • by mo ( 2873 ) on Tuesday April 30, 2002 @02:42PM (#3437797)
    Klez passed through my work a ways back and ever since then we've all been getting all kinds of spam. From what we can figure, the virus replied to all kinds of spam with the From line set to everybody's email address, including mine. So even though I hardly ever give my email away except for work issues, i'm now inundated with spam. Makes me think that someday some spammer out there will write a virus solely to collect email addresses.
  • www.mailwasher.net
    it's easy to use (imports your mail addresses directly from most popular mail clients), scans the mail server and gives warnings on possible virii and spam. As a bonus, it not only lets you delete messages on the server before you download them to your email program, it also lets you send back fake bounces to spammers.
    the interface isn't quite as nice as i'd like, but it does the job.
  • by stoolpigeon ( 454276 ) <bittercode@gmail> on Tuesday April 30, 2002 @02:43PM (#3437807) Homepage Journal
    A week or so I start getting all these emails from different mailbox administrators, etc. informing me that emails I was trying to send had invalid addresses.

    I'm looking at them and it shows my address in the from area and it was mostly spam for beastiality sites. My wife went ballistic.

    I got tons of them back as undeliverable. How many made it through? And now people think I was sending them spam for a porn site.

    They were coming back to my wife's WIN98 machine, so she called MS. The help desk chick tells her "Someone else has a virus and it is sending out emails w/your address" So my wife says "What do I do?" and they tell her to update her virus definitions. My wife said, "But you just told me that the virus is not on my computer, someone else has it. Is there nothing that I can do?" the girl says "Well download new virus definitions and check for service packs"

    The whole thing was rather humorous.

    .
  • Virii? What Virii? (Score:5, Informative)

    by kindbud ( 90044 ) on Tuesday April 30, 2002 @02:44PM (#3437825) Homepage
    Ever since we stopped allowing people to receive executable attachments (thanks to MIMEdefang! [roaringpenguin.com]), the virii have all but disappeared. There is no need to scan for virii on a mail server. Just get rid of executable attachments (there's a big list of them in MIMEdefang's example configuration). All these trojans use stupid Outlook auto-execute tricks/bugs/features to propagate. Executables shouldn't be sent as a direct attachment anyway. Either wrap it up in a zip file (the recipient has no excuse when he infects himself) or put it up on the ftp site and send a URL. This has got to be one of the basic elements of securing a network where Outlook users lurk - no executable attachments (picture Joan Crawford on a rampage).

    MIMEdefang also gives us the ability to call Mail::Spamassassin from a sendmail Milter, something Spamassassin itself does not yet support. The latest version also supports the File::Scan module for writing virus scanners in perl.

    • by Anonymous Coward
      http://www.perl.com/language/misc/virus.html

      The plural of virus is neither viri nor virii, nor even vira nor virora. It is quite simply viruses, irrespective of context. Here's why.

  • by Servo5678 ( 468237 ) on Tuesday April 30, 2002 @02:45PM (#3437827)
    I use a freeware, non-spyware, small Windows program called Popcorn to check all my e-mail before I download it to Outlook Express. Popcorn does not support attachments at all, it shows received attachments as base64-encoded text. It's great for filtering out junk, I just delete it from the server directly.

    http://www.ultrafunk.com/products/popcorn/ [ultrafunk.com] is the website for the program.

    I have nothing to do with the program or its development, I'm just a happy user.

  • Klez Virus (Score:3, Informative)

    by feldkamp ( 146657 ) on Tuesday April 30, 2002 @02:46PM (#3437846)
    We got hit by Klez (AMG; allmusic.com). Let me tell you, it SUCKED. This was a really potent virus. It got in through our video department (somebody opened an email...) and from there, it spread through some shared network apps. Within an hour or so, virtually everyone was toasted.

    Since this one spread through exe's, and since it was one strain of like 20 different Klez variants, cleaning was a real bitch. Luckily, I'm in programming, so I didn't have to do much of the visit-everyone's-machine thing. I did have to format my box, tho, as all my applications (including system apps) were hosed.

    mike feldkamp
  • I've been getting lots of Klez.
    It is Yet Another virus that is grabbing email addresses from browser caches, as far as I can tell.
    I have taken new measures to shield my email address from ending up in a browser cache, e.g. setting META no-cache directives.
  • I love KLEZ.G. I had Trend Micro's evaluation corporate scanner installed for the lst month and still got infected by it. I'm now using Sophos which cleans it, but the virus seems to corrupt a DLL upon first use so after installation I go to safe mode and run the scanner with 'DELETE'. KLEZ.G overwrites the exe instead of just 'patching' it so there is no disinfection. Bugger of a virus to deal with, and my office (we're a management company) has infected some of the hotels we manage. Luckily our video stores run DOS and an email program which doesn't allow/use attachments.

    McAffee didn't say anything about this virus either, though I'll admit our virus files are from early this year.

    I've now set all the outlook express clients to run in restricted security mode now, though, so we likely won't have much more of a problem in the future. Didn't infect Outlook, though, and obviously didn't infect other clients.

    -Adam
  • I bet these people [princeton.edu]will be raided very soon by the FBI.
  • Just when you thought amavis [amavis.org] was the cure for the odd little virus the odd little user would pass along, here comes Klez.H. Our helpdesk account receives 200+ "WARNING VIRUS IN MAIL ADDRESSED TO YOU" from amavisd. Yesterday, as I am on the security bitch list, I get a call from a "Senior Security Admin" for the Naval Intelligence Service (is there such a thing???). He was complaining that their sensitive e-mail accounts were getting hundreds of e-mails from foobar.edu e-mail addresses and that we need to put a stop to it. Take clue-by-four from scabbard. Take aim. Beat. This cat didn't even know what the Klez virus is and claims to be a security maven for the military. WTFE. After he yelled at me for lecturing him on how to read e-mail headers, he asked me what the solution was. Simple: ban the use of Outlook. Huff. Huff. Huff. "We can't do that! We have a contract with Microsoft."
  • We just finished replacing GroupWise 5.5 with Exchange 2000 at work (Fortune 1000 global company) 3 weeks ago. We run Norton AV Corporate (push down new defs the minute they come out). We are running Win2k 75%, Win95 25%. All Win2k machines are SP2 and Feb 2002 security update. We haven't seen *1* instance of this lovely virus as the desktop. Actually, we haven't seen an email virus strike yet (crossing fingers). Hire good people, you get good results. Jason
  • The real solution (Score:4, Insightful)

    by pmz ( 462998 ) on Tuesday April 30, 2002 @02:56PM (#3437931) Homepage
    is for the World to begin the arduous and expensive task of removing Microsoft software from their computers.

    The first step is to eliminate Outlook for e-mail. There are other options, even Emacs, that really aren't too user unfriendly.

    The second step is to eliminate Office for shared documents. There are other options, perhaps Open Office, that will be less prone to viruses and will be more maintainable over time.

    The third step is to begin evaluating other operating systems besides Windows. This is harder, because it will be difficult to replace all the software that was useful in Windows. Over time, however, a fairly comprehensive list can be developed, and a plan can be made to make the switch to a non-Windows OS.

    The fourth step is to take the plunge and dump Windows entirely. This may be the hardest step, because this is where the most learning needs to take place. But it is just a matter of time before users adapt to the new environment.

    This is what I have been doing at home and know it isn't easy to make a full transition. However, I have found adequate replacements for nearly everything and am pretty satisfied with the results.

    This doesn't have to be an all-Free-all-the-time solution, either, because there really is a way to mix open and closed software to meet your needs. It just takes research, time, and patience to find that Microsoft really doesn't rule the world at all--they just want us to think they do.
  • ...but luckly we aren't affected since our Exchange server has quarentined each email with said virii.

    And for more redundancy, I'm also not affected at home - because I don't use OUTLOOK! I love Win2K, the .NET Framework, C#, WinCE, and my XBox. But who in the world would use such a POORLY DESIGNED email client at home? I've never been convinced about the whole "IE should be removed from Windows" nonsense, but I think that outlook should be considered a TROJAN and removed by virus programs.
  • Montez now understands the e-mails came from Klez-subscribed news lists. But he said that since his free e-mail account only stores a certain amount of messages, he's lost access to the account twice this week. He believes he's also lost a significant amount of business-related e-mails.

    On one hand it's a shame that the virus flooded his mailboxes... but if he's using a free email account to conduct business then, well, he should know better. It's not like email accounts are all that expensive.

    mark
  • I'm impressed. (Score:5, Insightful)

    by EvilNight ( 11001 ) on Tuesday April 30, 2002 @02:58PM (#3437956)
    The person who wrote this spent some time thinking of the way to do the most damage. This virus nails you to the wall the instant it infects someone who just has your email address. That was some vicious thinking. The problems caused by this virus actually extend into social engineering. Pure genius.

    Makes you wonder what else they'll come up with...

    Maybe someday we'll have security, and patch this sort of thing...
  • Ive never had a virus, I have been clicking away at a console for over 20 years, I have owned a personal computer since 1978. I have never had a virus on my computer, knock on wood. It is I must say proabably a combination of sheer dumb luck and the fact that I dont click on emails that say BRITTANYNAKEDPICS.EXE.....But so be it I am lucky.

    That said my mom was in the same boat, the lan at her store has now 8 nodes and is pretty killer for a rare bookshop. Last saturday I get a call, half afraid to tell me whats going on, the line is slow, this that the other come down and look. Frigging virus variants running amok. I can say my Aunt felt bad it was her and she knew it. Being a family diplomat in the brady bunch land family I live in , all I could say was "No , its my fault for not keeping the AV server updated" then I realized the crap I just said so she wouldnt feel bad was true. They are firewalled to hell and back. They have AV clients on all the systems, and still they got nailed, why ? human error. not hers , mine.

    It was nothing to clean and had just started the night before. but were talking a catalog of 250000 volumes at risk totaling over 4000 man hours of entry to create. Whew.....I lucked out, It wasnt corrupted (the most recent backup was 1 week ago) but they are spending over 150 hours per week cataloging all the volumes they have. Its tediouis work all hand research and grading. Not like a first edition signed copy of "Steal this Book" is something that has an ISBN. (They actually put one on their front shelf, I said, hmm a 500$ book that says steal me on it, they walked over and grabbed it putting it in a safer location)

    All this work could have been EASILY lost, but there was a recent backup and 2 the damage was minimal at the point I snagged it. The potential for disaster here was big. Until last week I would laugh when someone got a virus doing untold damage. I think this one hit a little closer to home, I am the protector and architect f their IT enviroment. Basically if it happens on your systems or systems you take care of its your fault one way or another its your fault.

  • by Seth Finkelstein ( 90154 ) on Tuesday April 30, 2002 @03:04PM (#3437998) Homepage Journal
    Quoth the article [wired.com]:

    People signing up for newsletters and mailing lists that they never subscribed to has been a major source of frustration for both users and the list owners.

    If Klez happens to send an e-mail "from" a user to an e-mail list's automatic subscribe address, the list software assumes the e-mail is a valid subscription request and begins sending mail to the user.

    This is another reason why all lists should confirm [spamfaq.net] subscriptions. I'm seeing the Klem-virus beating on my own mailing list, and I'm very glad I spent the time to get the software to do confirmations of subscriptions.

    Sig: What Happened To The Censorware Project (censorware.org) [sethf.com]

  • I got infected by the Klez virus at least 15 years ago. I heard tapes of the Klezmer Conservatory Band, the Klezmatics, Brave Old World, and reissues of Dave Tarras recordings from the 20's and 30's. Believe me, it just gets worse. Last Saturday (after sunset), I was at a klez jam, about two dozen people playing clarinets, fiddles, accordions, etc., and it lasted well past midnight.

    Makes it difficult to get up in the morning and go to church, I'll tell ya.

    Haven't confessed it to any priest yet, though. I'm not sure I'd trust the priests here in the Boston area with such information.

    There doesn't seem to be a cure, either. I don't know anyone who caught this one who ever got over it.

  • Call me lucky, but the last time my inbox received an e-mail virus was in 1999 (guess which virus it was. . . . Happy99, heh).

    I believe in stems from not having compleat idiots having me in their address books.

    Smart friends == no virus' in email.

    Hey, just out of question, what plurality of Virus are we supposed to use this week? Last time I was flamed for using virii, and I see flames over viri and virus' as well. This is getting waaay to annoying, it was so that awhile back pretty much everybody had agreed on virii (may not be historically proper but at least it ended the debate) but I want to know what {censored} started the debate back up again?
    • Agreed entirely - I don't think I've ever had an email virus, and if I did I wouldn't worry all that much - we have procmail...

      And the plural of "virus" is simply "viruses". It's a perfectly good English word, so you don't have to foul up the language for pretentious bogo-Latin reasons.
  • Klez was very slow to spread at the beginning. Even if for some odd reason someone STILL doesn't block dangerous attachment types, they should have updated their AV software by now. I mean, they all do it automatically. If you aren't blocking attachments and running a GOOD anti-virus software (I recommend Antigen for Exchange) you better get that resume ready.
  • Running 100% MS software, off-the-shelf NAV, and good ol' 56k dial-up. ...No Klez, Nimda, Melissa, or any other damn virus... The trick? Very picky about who gets my email address, don't register for anything online, and am very particular about what software/files I download from the 'net. I am reading about you guys who are getting clobbered with multiples of thousands of hits and don't understand how you can live like that. Sorry to put the damper on the anti-MS guys, but that isn't the problem here; the users who don't update their virus sigs, don't pay attention to their email clients (what do you mean I have sent a bajillion messages?), and don't understand what the hell they are doing online to begin with (don't even get me started on opening attachments). This makes for great sensationalized news (OH MY GOD, ANOTHER VIRUS), but for true users, it is not news. Yeah, I am going to get modded to death here, but sick of the bitchin' and whinin' about viruses -- it is a price you pay to play.
  • Imagine if enron got infected with one of these worms?
  • by ArticulateArne ( 139558 ) on Tuesday April 30, 2002 @03:21PM (#3438116)
    Ok, I know that many worms have been propagated through MS LookOut, etc, through the years, and I've been on the sysadmin end of shutting them down and cleaning them up. But, you can't blame MS quite so much for this one. For one thing, the vulnerability has been patched for an entire year, so anybody who is still vulnerable isn't really trying at all to stop it. For another thing, the security settings in Outlook XP (and I think 2K, IIRC) are much stricter by default. I've actually opened these klez emails, but Outlook won't display them. It says something about having HTML that it won't display, or something to that effect. It also won't do .exes, .mdbs, etc without a registry modification, which has annoyed me on occasion, but is doubtless much safer than the previous way of doing things.

    Let the flames begin.
    • omputer science and computer security experts have been saying for years that Micros~1 hasn't got the first fscking clue when it comes to writing solid, reliable, secure code. This despite the fact that there have been several examples of, if not ideal solutions, good first approaches to the problem. Indeed, to create WinNT, Microsoft snarfed the VMS team from DEC, a bunch of guys who understood those principles.

      And yet, despite the mountains of examples both within and without the company, despite the millions of computers blue-screening every damned day, Microsoft willfully persists in making the same stupid mistakes.

      As is well-known, Word macro viruses were a big problem in years past. This was because Microsoft made a series of impossibly moronic decisions:

      * To incorporate a macro facility into Word directly (rather than as an external engine driven by IPC protocols, where access controls can be applied in a uniform manner),
      * To embed the macros into the Word documents directly, rather than as separate macro files (thus making it impossible for the user to distinguish between a normal document and an "active" one),
      * To set the default condition to run the macros automatically upon document loading, without informing the user,
      * To, by default, not inform the user that any of this idiocy was going on.

      Okay, fine, so Microsoft got bitten by their would-be cleverness, but they cleaned up their act, right? They learned their lesson, right?

      No. Not only did they refuse to acknowledge that they had fscked up royally, they went and deliberately committed the same errors again and again:

      * Not only does IE uncritically implement JavaScript, it also throws in Visual Basic scripting and ActiveX, all of which are turned on by default. This condition is identical to that which propogated the Word macro virus fiasco. Even their "secure" execution environments hasn't prevented hostile Web sites from hijacking the browser.
      * Outlook likewise, without user intervention, will extract and launch embedded content while simultaneously hiding it from the user. The damn thing doesn't even check to make sure the MIME type and the filename extension are consistent.

      There's a term for this kind of behavior: Willful negligence. Oh, you can point out that there are security update downloads. But you can't ignore the fact that, if Microsoft had followed basic security principles, if they had learned from their own history -- hell, if they'd even extended common courtesy to their users -- this sort of thing wouldn't have happened in the first place.

      This isn't an honest mistake. This is a pattern with over twenty years of history behind it.

      Any responsibility born by Microsoft is equalled by the responsibility born by those users who don't apply security updates and don't run up-to-date firewall and virus checking software.

      I agree that uneducated users are a big problem. But, especially with the advent of broadband connectivity, what Microsoft has effectively done is to give a loaded Uzi with the safety off to eight-year-olds, and then fail to train them in its use or even tell them where the safety lock is.

      Microsoft touts its products as turnkey, ready-to-go, fire-and-forget, no setup, no configuration, no need to learn computer-ese, just sit down and become productive immediately. This is misleading in the extreme. Training is required; proper configuration is required (because Microsoft keeps setting the defaults wrong). As such, I feel Microsoft bears a significant burden of responsibility for the havoc their software has wreaked on the Internet.
  • Fool! use IMAP (Score:5, Insightful)

    by benploni ( 125649 ) on Tuesday April 30, 2002 @03:24PM (#3438134) Journal
    IMAP would allow to get all the email, minus the atachments. You can pick which attachments you want. People, read the IMAP spec. It offers so much that ppl dont take advantage of.

  • by ryanvm ( 247662 ) on Tuesday April 30, 2002 @03:57PM (#3438378)
    I got tired of dealing with my users' virus problems a long time ago. So I wrote batemail [sourceforge.net]. It's a Perl script that you slip between your MTA (e.g. Sendmail) and your local mailer (e.g. Procmail) that filters out ALL executable attachments.

    I've been using it in my production environment for over a year now and it works like a charm. And it's open source, too!
    • Dude... just use Procmail's built-in capabilities.
      No need to put an interpreted script in between
      your MTA and MDA. Out of the goodness of my heart,
      here's some actual working stuff to put in your /etc/procmailrc that dumps all email with
      executable attachments in /var/virusdump/:
      #/etc/procmailrc
      VIRUSLOG=/var/ virusdump/viruslog

      :0 # Use procmail match feature
      * ^To:\/.*
      {
      HTO = "$MATCH"
      }

      :0 # Use procmail match feature
      * ^From:\/.*
      {
      HFR = "$MATCH"
      }

      NL="
      "

      :0
      *.for virususer;.*
      /var/virusdump/virususer

      :0
      *^Content-type:.*
      {
      :0 HB
      *name=".*\.(vbs|wsf|vbe|wsh|hta|scr|pif|exe|bat|js )"
      {
      :0c
      ! virususer

      :0 fhw
      | (/usr/bin/formail -r; \
      echo -e "This is an auto-generated message on behalf of${HTO}:\n\
      \n\
      The email referenced above, which was sent from your address, \n\
      had a virus-vulnerable attachement (such as .EXE, .VBS, .PIF, etc).\n\n\
      This mail server no longer accepts mail with virus-vulnerable \n\
      attachments and the email has been quarantined.\n\
      Please try resending your attachment in a safe format such as ZIP. \n\
      Contact support@iocc.com if you have any questions")\
      | mail -s "Possible virus deleted" "${HFR}"

      :0
      | echo "VIRUS From:${HFR} To:${HTO}" >> $VIRUSLOG

      :0
      /dev/null
      }
      }
  • Here's what I did. (Score:3, Interesting)

    by jchawk ( 127686 ) on Tuesday April 30, 2002 @04:47PM (#3438718) Homepage Journal
    I got sick of all the spam, all the chain letters and all of the virus's. So I decided to run my own small mail server. I changed my email address and only gave it to people that would not open foolish attachment, and would not forward crap on to me.

    Running linux the virus's aren't a problem, but downloading and the wadding through hundreds of emails sucked.

    I then use procmail along with spam assassion. Now when I check my email there is usually one or two messages, and they are relivent.

    Even the mailing lists I'm subsribed to get put in a sepereate folder.

    I can't complain at all anymore.

    What about those less the brillent friends that are still affected? Well I leave icq and aim running so they can just leave me a message that way. :-)

    Hey if my mother can avoid getting infected with these stupid virus's so can you!
  • by Artana Niveus Corvum ( 460604 ) on Tuesday April 30, 2002 @04:51PM (#3438747) Homepage Journal
    I am the network administrator for the Absentee Shawnee Tribe of Oklahoma, recently we were assaulted by no less than 5 variants of the klez worm. Klez.C,E,F,G, and H... WATCH OUT FOR Klez.H!!! It is stinking creepy smart! Not only does it play the normal irritating klez crack games with your email system, it also knows how to delete your antivirus software (I've observed it doing this to Norton, McAfee, and InoculateIT), but worst of all, given time it actually knows how to write into motherboard and video card bios space on reboot with win9x! (it does this even if the stupid "boot virus protection" is enabled in the bios and bios flashability is TURNED OFF! This is NOT a joke or a prank, this thing is freaking dangerous. I've already sent emails to Computer Associates, Norton, and McAfee... be careful people, be bloody careful
  • by gujo-odori ( 473191 ) on Tuesday April 30, 2002 @09:36PM (#3440311)
    I'm a sysadmin at an ISP, and we have been filtering Klez inbound and outbound for 13 days, and the load basically hasn't tapered off at all. Since we started the Klez filter (thank you, Exim!) the number of bounces in our postmaster box doubled and show no real signs of slowing up.

    That is a lot of bounces because we also filter on SirCam (still see some of those everyday), use several RBLs, and have extensive local spam filters and reject lists, as well as optional spam filters for Korean-encoded and Chinese-encoded mail (just rolled them out and over 800 customers have started using them already).

    The cost of this is a lot of wasted bandwidth consumed by spam, worms, and viruses, in hardware (we run 4 MXes where two would otherwise suffice, because of the filtering load), and the countless hours we spend each week on defending our mail system and our customers from all this crap.

    Besides the usual suspects (MS for their security holes, users for their laxness on applying updates, and the virus writers themselves), I also have to blame a lot of adminstrators for this. Mail admins, listen up! You KNOW Klez is out there and you KNOW it's going through your systems. You probably have a ton of captive specimens of it. Start filtering it inbound and outbound. You're not only helping other admins to control this problem, you're helping yourself.

    And let's all be thankful that virus writers and spamware writers come from two camps that aren't likely to like each other, because if they got together and wrote a worm that silently propagated itself and turned Windows boxes into selectively open relays for use by the spammer/authors, that would be a real problem. The scary part is that it wouldn't be all that hard. The worms already have their own SMTP engines these days. The leap is small. Let's hope they don't make it, but let's think about how we're going to control it when they do.

    Line of defense number 1: ISPs - if you don't already block port 25 in/out from your dial pools (requiring your dial users to smarthost through your outbound SMTP or send through it directly), start NOW. The ass you save will be your own. If we all do this (my employer has done this for years) we will cut off spam.
  • Yahoo! (Score:3, Interesting)

    by Kris_J ( 10111 ) on Tuesday April 30, 2002 @10:46PM (#3440658) Homepage Journal
    I'm so glad that I dumped my old Yahoo email address a week or so ago. That old address was in so many places. If it wasn't spam it was a virus. And when I started using the vacation system a few weeks before I turned the account off what wasn't spam or a virus was an "message undeliverable" message.

    I wonder how many responses to Klez emails bounce back with an "address unknown" error?

"Marriage is low down, but you spend the rest of your life paying for it." -- Baskins

Working...