Worm Klez.E immunity tool warning
Discussion
I recently receive an email from adverts@pistonheads with an attachment (which I've deleted). It is listed on McAfee's site as a virus - this is how it appears:
Subject: Worm Klez.E Immunity
Body:
Klez.E is the most common world-wide spreading worm. It's very dangerous by corrupting your files. Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it.We developed this free immunity tool to defeat the malicious virus. You only need to run this tool once,and then Klez will never come into your PC.
NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV monitor maybe cry when you run it. If so,Ignore the warning,and select 'continue'. If you have any question,please mail to me.
I've sent a mail to Ted, but in case anyone else receives it - beware!
It even tells you to ignore the virus warning from the A.V. software you've bought!
Sneaky buggers eh?
Subject: Worm Klez.E Immunity
Body:
Klez.E is the most common world-wide spreading worm. It's very dangerous by corrupting your files. Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it.We developed this free immunity tool to defeat the malicious virus. You only need to run this tool once,and then Klez will never come into your PC.
NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV monitor maybe cry when you run it. If so,Ignore the warning,and select 'continue'. If you have any question,please mail to me.
I've sent a mail to Ted, but in case anyone else receives it - beware!
It even tells you to ignore the virus warning from the A.V. software you've bought!
Sneaky buggers eh?
Thanks mate. Got it now. It's not on our server and the mail didn't originate from here.
I did a bit of research on the Symantec site and found this:
I did a bit of research on the Symantec site and found this:
quote:
Because this worm does use a randomly chosen address that it finds on an infected computer as the "From:" address, numerous cases have been reported in which users of uninfected computers receive complaints that they have sent an infected message to someone else.
For example, Linda Anderson is using a computer that is infected with W32.Klez.E@mm; Linda is not using a antivirus program or does not have current virus definitions. When W32.Klez.E@mm performs its emailing routine, it finds the email address of Harold Logan. It inserts Harold's email address into the "From:" line of an infected email that it then sends to Janet Bishop. Janet then contacts Harold and complains that he sent her infected email, but when Harold scans his computer, Norton AntiVirus does not find anything--as would be expected--because his computer is not infected.
Ted - this is the same one as I mentioned to you a couple of days ago. As the Symantec write-up says, Klez spoofs the originor address to make people think it originated from elsewhere, and one of the many message bodies Klez generates is the one that tells you to infect yourself and ignore your AV warnings.
This is one very sneaky little worm. Caused me a few hours of treble-checking my machine to make sure that it didn't originate from me when precisely the same thing happened (ie. someone accused me of sendig them a virus).
This is one very sneaky little worm. Caused me a few hours of treble-checking my machine to make sure that it didn't originate from me when precisely the same thing happened (ie. someone accused me of sendig them a virus).
Get yerselves NAV for Exchange...if you run a server or Systemworks if not. Kills it dead before it hits anyone's Inbox even if you have the Exchange one.
You wouldn't believe the number of alerts I get saying 'so and so recieved an e-mail infected with Klez but I've already ground it into little pieces for you but did you want me to stamp on it some more?'
You wouldn't believe the number of alerts I get saying 'so and so recieved an e-mail infected with Klez but I've already ground it into little pieces for you but did you want me to stamp on it some more?'
quote:
Get yerselves NAV for Exchange...if you run a server or Systemworks if not. Kills it dead before it hits anyone's Inbox even if you have the Exchange one.
I second the NAV for exchange server. Been using it for years. We use it on the "kill them all dead" setting as well...
ErnestM
Gassing Station | Website Feedback | Top of Page | What's New | My Stuff