Friday, May 24, 2002 - Michael Kearns

Email Virus Spread

There has been a wide-spread of virus infected emails.

Which explains the current problem of:

"Why am I receiving replies from people I do (or do not) know, saying I sent them an email that I did not send?"

A hard to kill virus effecting Microsoft Email Clients, named W32.Klez.gen@mm. This virus also has many variations.

In the email
Subject: (RANDOM and the Virus has many variations)
Body: (RANDOM - again)
Attachments:(RANDOM - Files with .BAT, ..EXE, .PIF, or .SCR extension):.

This Virus can be launched while opening or previewing the message.

How it works:
The Virus carries its own SMTP engine (outbound email connection), it randomly selects email addresses from the infected computer's address book, sends mass-massages, and using the "From" as one or more of the random email address(es) it choice from that address book. Therefore, sending emails that seem like were sent from you.

Macintosh Computers are not effected by the Klez virus or these variations. However, since the virus is email based, a Macintosh can inadvertently pass the virus on to a Windows user.

If you receive an email message that has an attachment and it is not from a trusted source, please DO NOT OPEN it. Immediately delete the message and empty your "deleted items" or "trash" folder.

Also, update your anti-virus software with the most recent virus definitions and perform a scan on your drive.

Since the Virus carries it own SMTP, it does not use an Email Server's SMTP. Therefore, the email administrator cannot track who's computer is infected and sending the mass-messages.

--
An Excerpt (below) from Symantec's Site and it also includes a removal tool.

Email spoofing:
Some variants of this worm use a technique known as "spoofing." If so, the worm randomly selects an address that it finds on an infected computer. It uses this address as the "From" address that it uses when it performs its mass-mailing routine. Numerous cases have been reported in which users of uninfected computers received complaints that they sent an infected message to someone else.
For example, Linda Anderson is using a computer that is infected with W32.Klez.E@mm; Linda is not using an anti virus program or does not have current virus definitions. When W32.Klez.gen@mm performs its emailing routine, it finds the email address of Harold Logan. It inserts Harold's email address into the "From" portion of an infected message that it then sends to Janet Bishop. Janet then contacts Harold and complains that he sent her an infected message, but when Harold scans his computer, Norton AntiVirus does not find anything--as would be expected--because his computer is not infected.
If you are using a current version of Norton AntiVirus and you have the most recent virus definitions, and a full system scan with Norton AntiVirus set to scan all files does not find anything, you can be confident that your computer is not infected with this worm.