| Update on Klez Worm!!! Last member to post at this thread below suggests that his Norton AV and other quick test he did could not not detect or isolate some version of KLEZ even when he right clicked to scan them. Now you never know what version of Norton he is running or its update...but posting this here since this worm is changing fast and the rule of thumb is to always be sure you have a warm tummy feeling that nothing "appears" to be suspecious in the first place with the text or any attachment.
»www.security-pro.co.uk/yabb/YaBB···start=16
Alternately known as Klez.g, Klez.h and Klez.k, depending on the security advisory that's referring to it, the worm has its own email engine to mass mail itself to potential victims, and it also attempts to deactivate some antivirus products. The worm can also spread to shared drives connected to PCs via local area networks or LANs. |
|
| I also read that thread you provided, and I found it strange that a currently-updated NAV didn't detect it, but the user sounded unsure he was actually infected, since he did a Trend Micro HouseCall and came up clean there too. It wasn't clear from reading that thread, whether the person was actually infected or not.
I know that NAV LiveUpdate has been especially active lately. LU usually only updates on Wednesdays, but I received an automatic LiveUpdate on Friday the 19th. My NAV virus definitions are currently listed as 4/19/02. I suspect this Klez Worm has something to do with the unusual LU activity  . |
|
 FiOS DanPremium
join:2001-07-06
Redondo Beach, CA | reply to Time Out
Thanks Time Out for watching our backs on this one. FWIW I am now reading all of my e-mails with the Quick View function of Magic Mail Monitor. Unless I'm misunderstanding the process--which is always possible--the e-mails stay on the POP3 server and never get DL'd to my PC, plus I'm viewing their headers rather than actually opening them. Subsequently I can use the proggie's Quick Delete function to get rid of the e-mail directly off the remote server. I hope this is as safe as I think it is, and as always any feedback confirming or refuting this will be greatly appreciated.
--
"Well, my tail feathers may droop a little, and my waddle show, but I can still out crow anything in the barn yard." |
|
|
|
 ChipPremium
join:2001-12-23
Connecticut | reply to Time Out
Thanks for the heads up. |
|
 StepRCode WarriorPremium
join:2000-11-06
Elgin, IL | reply to Time Out
Previewing just as dangerous Previewing in Outlook Express does not protect you from this worm. Klezzie exploits a vulnerability in MS Internet Explorer 5 which opens the attachment, since OE uses IE to render html. When the sender provides a false MIME type in its header, IE launches the attachment, thinking it is a different type, even when the email is not opened but just previewed.
You need to download the MS patch or to upgrade to IE 6. You should update all your AV info before even looking at email so the offending email and worm can be quarantined.
Also, as the worm goes through your address book to propogate in outgoing messages, it changes the "from" address to a randomly selected person in your address book. Thus, the "from" field in the offending message can actually be from an uninfected computer. |
|
| said by StepR:
You need to download the MS patch or to upgrade to IE 6.
5.5 SP2 is OK as well: it also contains the fix for this vulnerability.
Greetz, Tony |
|
| reply to Time Out
Re: Update on Klez Worm!!! Well, I guess it just goes to show ya how valuable our friends are over at Paul Wilder's Forum also.
I remember when the 'experts' predicted that Klez was going to be DOA as it did not show up as 'they' calculated.
This whole thing started out with a guy who just wanted a job.
»www.zdnet.com/products/stories/r···,00.html
Klez worm may be a job request from a Chinese programmer
But now it least we have some smart people who are offering some services beyond the call of duty to also watch our backs.
MyRealBox catches Klez
»MyRealBox catches Klez
I think services like this are going to end up being the norm. |
|
FiOS DanPremium
join:2001-07-06
Redondo Beach, CA | reply to StepR
Re: Previewing just as dangerous said by StepR:
Previewing in Outlook Express does not protect you from this worm. Klezzie exploits a vulnerability in MS Internet Explorer 5 which opens the attachment, since OE uses IE to render html. ... You need to download the MS patch or to upgrade to IE 6. You should update all your AV info before even looking at email so the offending email and worm can be quarantined.
StepR I'm running a fully patched IE 5.5 SP2 and daily updated NAV. Also I could be wrong, but as I described in my post I don't think I'm previewing e-mails in OE on my PC. I think I'm using a Quick View function in a separate program to read the headers of e-mails that are still on a remote server. They have not been DL'd to my PC. Not trying to be argumentative, just seeking clarification as to my level of protection.
--
"Well, my tail feathers may droop a little, and my waddle show, but I can still out crow anything in the barn yard." |
|
