I received two emails backdated 12/1.

One was sent from eaglepineranch@hotmail.com, the other was from something with "webmaster" in the address. One was titled "ledbetter" the other "the act" They both also contained jpeg's. One was a screen shot of a posting here, the other of a steam loco.

It contained the above referenced virus. I suggest if you receive anything from these adressees blow em away.

I once again am glad I use undisclosed webmail.



superheater@beer.com

I get a Klez 32 mailing from computers associated with the railway preservation community about every other day.

One thing to note about Klez is that the return address in the email is chosen at random from the Outlook file of the infected computer--in plain English, the address that appears on the infected email is not the address of the real infected computer, it's usually some innocent third party. So, you may do someone an injustice if you block mail from them just becuase they ostensible sent you Klez--odds are, its someone else and not them at all.

The subject line and attachments (if any, other than the Klez worm itself) are also pulled at random from the poor infected soul's hard drive.

I recommend that everyone, without exception, make sure that their virus protection is current and is enabled for scanning email as it comes in. Klez is making the rounds in our community and has been for some time, and if your protection is not in good order and you use Misrosoft mail products, you WILL get it.

eledbetter@rypn.org

I'm just wondering whether this Klez 32 opens itself, or if one has to open the file before it can do its dirty work.
Any time I receive an e-mail I am not absolutely certain of, I open the properties option, and select source. I can see what is contained in the file without opening it.
I have Norton, but for some reason my look-out express won't work with the Norton, so the mail portion is turned off. I'd guess the Norton would catch it after it gets onto the hard drive, but I like to think I'm stopping it before that by deleting anything I don't trust.
Comments? Mark D.

mnmach@lakes.com

> I'm just wondering whether this Klez 32
> opens itself, or if one has to open the file
> before it can do its dirty work.
>

I'm moderately tech-smart, but wasn't paying attention. I opened a jpeg, which is usually safe and ..then noticed the other attachments, opening them thinking they were jpegs.. should've paid attention to the file extension.

Since I use an undisclosed identity and others who post here occasionally post here undisclosed comment to me directly, I sort of accept the risk and hope Mr. Norton catches it.

Mcafee has an innoculator for d/l on their site.

superheater@beer.com

Mark,
My norton works fine with outlook express. Norton catches Klez coming from the website at least once a day.

I suggest you get hold of Norton ASAP and let their techies figure out how to get your mail covered.

Electric City Trolley Museum Association

I'm getting at least one or two Klez messages a day in my Hotmail account, which is where my railfan.net e-mail goes. Although I'm pretty sure Hotmail is immune to the worm itself (I don't open those messages anyway), those 140K attachments are generally enough to put me over Hotmail's 2 meg mailbox limit. I always delete them as soon as I see them, but since new ones are arriving daily, legitimate messages are probably getting blocked and archived messages that I had hoped to keep are getting automatically deleted to make room for unread Klez messages, not to mention all the usual Hotmail spam. Unfortunately, anti-virus software isn't going to help me with that.

rjenkins@railfan.net

From one of Aaron's caps on all words postings to this list. What's that caps thing all about anyhow Aaron?

Points being how is this different from being Klezed and my Norton seems to be catching things nicely.

Dave

irondave@bellsouth.net

> I suggest you get hold of Norton ASAP and
> let their techies figure out how to get your
> mail covered.
I agree on that. I have the latest Norton, as of lst year, but the automatic update just expired. It has caught a couple of viruses that tried to get in, and were quarantined immediately. My big concern is with virus or worm attacks which have been designed to bypass antivirus programs. It's my understanding these are becoming more common. Also, I had heard of some viruses which automatically open, or in another way work without having to be opened by the recipient. To be careful of others, I don't keep any kind of address file, and regularily delete everything in my Look0Out Express. Great user-friendly e-mail program, but very susceptable to attack.
Just after I had posted the question above, a definite virus arrived in the mail. I saw it in "Properties" and deleted it.
Some day I'm going to have to purchase more updates for my Norton.
Mark D.


mnmach@lakes.com

The hackers write the viruses to bypass existing antivirus software, then the antivirus firms update their software to combat the new virus.

McAfee posts: McAfee AVERT (Anti-Virus Emergency Response Team), the leading anti-virus research organization, tracks the latest viruses and trojan horses to keep you up-to-date with the many new, and altered, viruses emerging every day. Each profile gives you comprehensive details on virus characteristics and indications of infections.

See: http://vil.nai.com/VIL/newly-discovered-viruses.asp

They list 26 different variants of the Klez virus alone.

Norton does similarly.

Best bet is to subscribe to a service and run every update as soon as you get it. Even then you could be launch customer for a virus before the antivirus is published. It happens.


Electric City Trolley Museum Association

There are a couple inherent problems with OE and viruses. First, unlike programs like Eudora (What I use) OE holds the attachments in the mail database file with the message text and headers instead of decoding them to separate file, which makes it much harder to detect. You can somewhat offset this by saving and attachment to disk before opening it. Then it is easier for the virus program to 'get at it' before loading it into memory.

Second, OE 5.5 and earlier have _VERY_ lax security. In OE 5.5 or before go to Tools - Options - Security and change the security zone to Restricted Sites. This will stop most if not all of the 'auto run' viruses because they are not permitted to run on their own. Also you can turn off the preview pane (where the message content is shown in the main windows) from View - Layout. OE 6 and above are already set to the Restricted Sites zone.

Or, you could just buy a mail program without all the security holes instead of taking whatever MS or AOL slops on the plate.

Viruses often use multiple extensions such as fun.jpg.exe . The system sees it as an executable, but because Windows hides the last extension (.exe) from your amature eyes you see it as a JPEG file. If they incorporate a jpeg looking icon in the program it looks all the more like and image file. You can set windows to show the entire file name by going to Tools - Folder Options - View in Windows Explorer (Not IE) and uncheck "Hide file extensions for known file types. Then you can at least see how Windows is going to see it.

Klez is everywhere. I get about three Klez messages a day. Every day. As said it spoofs (falsifies) the From: address, but does it not some, but almost all the time. As such it is nearly impossible to let the sender know they are infected. That plus the fact that it does not give much indication to the user of the infected system that it is present, many systems with Klez stay infected for a long time and continue to merrily send out infected mail.

The moral of this story is 1) Default Microsoft settings are often a security joke. 2) No system that connects to the Internet (particularly e-mail) should be without antivirus software with up-do-date virus definitions. 3) When Microsoft has a new CUMULATIVE patch for IE/OE, put it on. 4) If you're not sure what something is, DON'T OPEN IT.


The East Broad Top Railroad Homepage

ebtrr@spikesys.com