[Towertalk] OT-Virus???

Jamie WW3S jtolbert@gremlan.org
Thu, 25 Apr 2002 17:04:20 -0400 

As I understand it, and I may be incorrect, it can grab an address from
ANYWHERE on the infected PC, not just the address book. If you have a
webpage stored in cache with a email address on it, it can grab that.

73 Jamie

----- Original Message -----
From: "Bill Otten" <res0958z@verizon.net>
To: "TowerTalk" <towertalk@contesting.com>
Sent: Thursday, April 25, 2002 3:38 PM
Subject: Re: [Towertalk] OT-Virus???


> I've received notices from mail administrators (just this morning in fact)
> that a mail I supposedly sent was infected. Trouble is, I don't even have
> that individuals name in my address book. Here's the text of the message I
> received....perhaps if someone reads it and notices the addressee as
someone
> in THEIR address book, it might suggest where the infected computer is.
>
> From: <winita@wabash.net>
> To: <res0958z@verizon.net>
> Sent: Thursday, April 25, 2002 12:47 am
> Subject: Virus Alert
>
>
> > The mail message (file: 33470) you sent to wec69@wabash.net contains a
> virus. We have cleaned or quarantined the virus before delivering the text
> of the email. Please check your system for other infected files. If you
need
> help, see www.antivirus.com for more information.     ( Wabash.net System
> Administrator winita@wabash.net)
>
> That being said, here's a note from one of the anti-virus sites mentioning
> this virus' ability to 'spoof' an address from an infected computer and
send
> mail to propagate the virus:
> WORM_KLEZ.I
> Aliases:
> I-Worm.Klez.i, W32/Klez.gen@mm, KLEZ.I
> (see also: description and solution)
> Variant of: WORM_KLEZ.A
> In the wild: No
> Discovered: Apr. 20, 2002
> Detection available:  Apr. 20, 2002
> Detected by pattern file #: 267
> (still using 900-series pattern files?)
> Detected by scan engine #:  5.200
> Language:
>  English
> Platform: Windows
> Encrypted: No
> Size of virus: varies
>
> IMPORTANT DETAILS:
> Similar to the other KLEZ variants, this worm can change or spoof the
> original email address in the FROM: field. It obtains the email addresses
> (that it places in the FROM: field) from the infected user's address book.
> This causes a non-infected user to appear as the person who has sent this
> worm's malicious email. It does this to hide the real sender of the
infected
> email.
>
> Honestly...this worm virus is SO prolific that I don't think it's limited
to
> a ham's computer. One of the hams on the list may have it, but this thing
is
> pervasive lately....McAfee moved it to moderate risk category. Run the
virus
> check programs, and use the latest data files....this worm virus is very
> recent...an old virus file won't catch it.!!
>
> Bill
> KC9CS
>
>
> ----- Original Message -----
> From: "Tom Anderson" <ww5l@gte.net>
> To: <Towertalk@contesting.com>
> Sent: Thursday, April 25, 2002 10:54 am
> Subject: [Towertalk] OT-Virus???
>
>
> > Fellow Tower Talkians:
> >
> > Pardon the off-topic message, but I was curious if others were having
the
> same
> > problem since many of the "bounced" e-mails I describe below are from/to
> other
> > hams.
> >
> > Have you been receiving a number of "bounced" e-mails recent to people
you
> never
> > sent e-mails to are e-mails infected with the W.32Klez virus?? Or have
you
> noticed
> > an increasing number of "infected" e-mails according to whichever
> anti-virus
> > program you are using?
> >
> > The latest bounced one was I supposedly sent to N5XX  recommending he
use
> an IE
> > 6.0 "patch" that was attached. It bounced because N5XX's  ISP said my
> e-mail was
> > too long something like 100kb then Norton said it was infected with the
> W.32Klez
> > virus on the return.
> >
> > I've even gotten a bunch of e-mails with no message from, just blank,
> except for
> > the header which is sent to my e-mail address from someone I've never
> heard of or
> > it lists "undisclosed recipients" in the "To:" address line..
> >
> > I don't even use IE, I use Netscape 4.79 since most viruses are
seemingly
> written
> > for IE than Netscape.
> >
> > I've got Norton anti-virus running on both incoming and outgoing, plus
> their
> > update service is running constantly in the background (it just now gave
> me the ok
> > that all virus definitions are updated).
> >
> > I even received an e-mail from/to  "myself" at least with my e-mail
> address  as
> > the sender that was supposedly infected according to Norton.
> >
> > A special download that Norton has for the W.32Klez virus  says my
system
> is virus
> > free.
> >
> > I hope you haven gotten one of these messages with my e-mail address as
> the
> > sender.
> >
> > Again, pardon the off-topic message, I was interested if others were
> having this
> > same problem that seems to have gotten more severe in the last week to
10
> days.
> >
> > Tom, WW5L
> >
> >
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > Towertalk mailing list
> > Towertalk@contesting.com
> > http://lists.contesting.com/mailman/listinfo/towertalk
>
> _______________________________________________
> Towertalk mailing list
> Towertalk@contesting.com
> http://lists.contesting.com/mailman/listinfo/towertalk