Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Evil e-mail tricks PC users: 'Klez' disguises self with variety of subjects, senders
WorldNetDaily.com ^ | Thursday, April 25, 2002 | By Joe Kovacs

Posted on 04/24/2002 11:41:24 PM PDT by JohnHuang2

If you're seeing a sudden surge in the amount of e-mail in your inbox, chances are it has little do with your popularity.

Delete buttons on personal computers are getting a workout this week thanks to a tricky e-mail worm tunneling across America and the rest of the world.

Known as "Klez," the worm has been bombarding mailboxes with unsolicited messages, replicating itself and changing its own appearance by displaying a variety of subjects and senders.

"It's a worm that spreads really quickly," said Sharon Ruckman, senior director for anti-virus software maker Symantec's security response team. "And it carries an additional payload that can do some damage."

That additional payload is a virus known as "Elkern," which tries to infect other systems by sharing information. When combined with Klez, the two create problems that go beyond large amounts of incoming mail.

"It can release confidential information on your system which is never a good thing to have happen," Ruckman told WorldNetDaily. "It also has the ability to remove anti-virus software."

Klez is more deceptive than some previous problem e-mails, as it has a wide variety of titles displayed in the subject line, and can latch on to an e-mail address of someone a user knows and insert it in the "From" field, making users more apt to open it and thus get infected.

Some of the titles listed in infected mails include:

Klez also uses some combinations of random words in subject lines, to make it even more confusing. The random words include:

Some messages even appear to be trying to help PC users by offering a patch or removal tool for Klez or Elkern, but are nothing more than the worm itself.

"They're trying to get people to open it," Ruckman said regarding the virus writers' clever deception skills. She adds her company does not e-mail people randomly with removal tools.

Symantec has ranked Klez at a category 3 medium risk on a scale of 1 to 5, with 5 being the most dangerous.

"That means it's spreading in the wild more quickly, but it's not as serious as [other viruses like] Melissa or LoveBug," Ruckman said. She also says the Nimda virus which debuted last year is still problematic.

According to anti-virus software maker Trend Micro's world virus tracking center, Elkern and Klez are currently the top two ranked viruses. In the past 24 hours, they are estimated to have infected over 400,000 files globally.

Several strategies can be employed in preventing computers from being infected. Home PC users should avoid opening the messages and delete e-mails with attachments, especially if something appears strange in the subject or sender's line.

"Don't be curious about e-mail," Ruckman said. "Just delete it." Once deleted, users should also empty their trash bins.

She also recommends having anti-virus software on your machine, plus the "latest and greatest software patches," which can be downloaded from Microsoft.

Corporate e-mail users can have their system administrators attack the problem by filtering out certain attachments and subject lines at the gateway of their mail servers.

If a computer has been infected, free removal tools are available from both Symantec and Trend Micro.

But despite assurances from anti-virus companies, some organizations like ACT Teleconferencing in Hong Kong are having trouble curing the problem.

"Irrespective of what Symantec or other vendors say, there has been no way to stop this worm in the short term," Bob Deverell of ACT told the South China Morning Post this week.

"We have been struggling to clean our machines," he said. "We haven't been able to stop it and we're very competent."


TOPICS: Front Page News; News/Current Events; Technical
KEYWORDS:
Navigation: use the links below to view more comments.
first 1-5051-56 next last
Thursday, April 25, 2002

Quote of the Day by HHFi 4/25/02

1 posted on 04/24/2002 11:41:24 PM PDT by JohnHuang2
[ Post Reply | Private Reply | View Replies]

To: JohnHuang2
This one came to my mailbox last night and it seems like I was able to delete it successfully. It came titled "Look, my beautiful girlfriend" and when I chose it to delete it, a media window opened. Which I quickly closed and then deleted the email.
2 posted on 04/25/2002 3:55:30 AM PDT by MarMema
[ Post Reply | Private Reply | To 1 | View Replies]

To: all
Home PC users should avoid opening the messages and delete e-mails with attachments,

In Outlook Express, the only way to delete a message is to open the message. You have to highlight the message, which opens it, in order to hit the delete key.

I have received a few e-mails with this virus and Norton brought them to my attention. Norton was not able to do anything with them, so I deleted the messages manually and then ran virus scan again, after making sure that I had the latest Norton update.

I noticed that when I would open the message (NOT the attachment), that a web page would automatically come up.

I have come up clean with a Norton virus scan, but I can't help but wonder about that web page that opened up.

I've always believed that you cannot pick up a virus unless you open the attachment, but lately I've been hearing that just opening the e-mail message can spread the virus.

3 posted on 04/25/2002 5:31:07 AM PDT by alnick
[ Post Reply | Private Reply | To 1 | View Replies]

To: alnick
In Outlook, highlighting the message does not open it UNLESS you have Preview Pane turned on. Create an attachments folder and turn off Preview Pane for that folder. Then write a Rule to send all messages with attachments to that folder.
4 posted on 04/25/2002 5:39:16 AM PDT by AppyPappy
[ Post Reply | Private Reply | To 3 | View Replies]

To: AppyPappy; technochick99
Can you give me more instructions on where to set up the preview pane settings? I'm too lazy to look for myself.
5 posted on 04/25/2002 5:43:40 AM PDT by Lazamataz
[ Post Reply | Private Reply | To 4 | View Replies]

To: Lazamataz
Great. You people control the media and now you want to control email.

Click on the folder, click on View and click on Preview Pane to turn it off and on.

6 posted on 04/25/2002 5:46:57 AM PDT by AppyPappy
[ Post Reply | Private Reply | To 5 | View Replies]

To: AppyPappy
Cool. The Illuminatii looks with favor upon you. You will be spared.
7 posted on 04/25/2002 5:48:24 AM PDT by Lazamataz
[ Post Reply | Private Reply | To 6 | View Replies]

To: alnick
I got hit with it last weekend. It shut down both Zone Alarm AND Norton Antivirus, attached itself to my .exe files so I couldn't launch my programs.

I had Preview Pane enabled and that did it. My husband had to bring home the Symantec vaccine that we ran 4 times.

The bug managed to replicate itself each time I tried to launch a program. Very nasty!

8 posted on 04/25/2002 5:56:06 AM PDT by Carolina
[ Post Reply | Private Reply | To 3 | View Replies]

To: JohnHuang2
Check you E-mail on the server: Ultrafunk Popcorn (176K). Drag a shortcut to your taskbar.
9 posted on 04/25/2002 5:59:26 AM PDT by jordan8
[ Post Reply | Private Reply | To 1 | View Replies]

To: AppyPappy
Thank you. I didn't know about preview pane. It's turned off now.
10 posted on 04/25/2002 7:42:43 AM PDT by alnick
[ Post Reply | Private Reply | To 4 | View Replies]

To: Carolina
Did you open the attachment or did you get the virus just by opening the e-mail message?
11 posted on 04/25/2002 7:49:47 AM PDT by alnick
[ Post Reply | Private Reply | To 8 | View Replies]

To: alnick
Got it by just highlighting it. I didn't even open it. But I had Preview Pane on so it launched a window.
12 posted on 04/25/2002 7:55:15 AM PDT by Carolina
[ Post Reply | Private Reply | To 11 | View Replies]

To: Carolina
I got hit with it as well. It absolutely erased Norton's System Work 2002. Mine came in from someone I knew and it had the subject line "A Great New Website". It really really did a work over on my computer. I thank my Sailor because he's a Network Administrator and had the situation under control. However, he went back and sourced where it came from and then sent information forward to our service provider and other people that needed the information.
13 posted on 04/25/2002 8:08:48 AM PDT by MoJo2001
[ Post Reply | Private Reply | To 8 | View Replies]

To: MoJo2001
It absolutely erased Norton's System Work 2002.

That was what was upsetting. Here I am, paying for a subscription to Norton AV, and it was helpless.

14 posted on 04/25/2002 8:18:03 AM PDT by Carolina
[ Post Reply | Private Reply | To 13 | View Replies]

To: Carolina
Oh, mine launched a window also. But after deleting the e-mail I got the latest Norton update and ran a scan and the scan came back clean.

Sorry to hear that you got hit.

15 posted on 04/25/2002 8:19:22 AM PDT by alnick
[ Post Reply | Private Reply | To 12 | View Replies]

To: JohnHuang2
Someone sent me one with the title line: Information for International Students
16 posted on 04/25/2002 9:53:16 PM PDT by Salvation
[ Post Reply | Private Reply | To 1 | View Replies]

To: alnick
In Outlook Express, the only way to delete a message is to open the message. You have to highlight the message, which opens it, in order to hit the delete key.

No, you don't have to open it. Just drag it over to Deleted Items!

17 posted on 04/25/2002 9:55:20 PM PDT by Salvation
[ Post Reply | Private Reply | To 3 | View Replies]

To: MoJo2001
I got hit with it as well. It absolutely erased Norton's System Work 2002.

My Norton 2002 got it and quarantined it.

18 posted on 04/25/2002 9:58:28 PM PDT by Salvation
[ Post Reply | Private Reply | To 13 | View Replies]

To: Salvation
I was attacked with it 2 days ago. I had 150 emails coming in every time I clicked for my mail.

I had to use this here

Symantec has provided a tool to remove infections of W32.Klez.E@mm, W32.Klez.H@mm, W32.ElKern.3587, and W32.ElKern.4926. Note on W32.Klez.gen@mm detections: W32.Klez.gen@mm is a generic detection that detects variants of W32.Klez. Computers that are infected with W32.Klez.gen@mm have most likely been exposed to either W32.Klez.E@mm or W32.Klez.H@mm. If your computer is detected as infected with W32.Klez.gen@mm, download and run the tool. In most case, the tool will be able to remove the infection. What the tool does The W32.Klez Removal Tool does the following: It terminates all processes that are associated with W32.Klez.E@mm, W32.Klez.H@mm, W32.ElKern.3587, and W32.ElKern.4926. It deletes the W32.Klez.E@mm and W32.Klez.H@mm service(s). It removes the registry entries that were created by W32.Klez.E@mm and W32.Klez.H@mm. It detects all types of W32.Klez.E@mm, W32.Klez.H@mm, W32.ElKern.3587, and W32.ElKern.4926 infections, and repairs files that can be repaired.

19 posted on 04/25/2002 9:59:47 PM PDT by TLBSHOW
[ Post Reply | Private Reply | To 17 | View Replies]

To: Carolina
see post 19, it does work and kills old klez
20 posted on 04/25/2002 10:00:56 PM PDT by TLBSHOW
[ Post Reply | Private Reply | To 14 | View Replies]

To: AppyPappy
Great pointers.
21 posted on 04/25/2002 10:04:08 PM PDT by Registered
[ Post Reply | Private Reply | To 6 | View Replies]

To: TLBSHOW
it does work and kills old klez

Yup, it's what I used and ran it 4 times for good measure.

22 posted on 04/26/2002 4:23:33 AM PDT by Carolina
[ Post Reply | Private Reply | To 20 | View Replies]

To: Carolina
Bump to the end of Klez!
23 posted on 04/26/2002 5:42:28 AM PDT by TLBSHOW
[ Post Reply | Private Reply | To 22 | View Replies]

To: Liberty Belle
ping
24 posted on 04/26/2002 5:59:23 AM PDT by RichardsSweetRose
[ Post Reply | Private Reply | To 2 | View Replies]

To: JohnHuang2
I got one the other day, the subject line having something to do with PayPal. Inside were two attachments, one of them labeled as some sort of porno item. Fortunately, I was using PINE on a Mac and, so, was protected.
25 posted on 04/26/2002 6:06:28 AM PDT by aruanan
[ Post Reply | Private Reply | To 1 | View Replies]

To: Salvation
Mine did too, then I just emptied the Quarantine folder. It said the file was unrepairable, as well.
26 posted on 04/26/2002 6:11:32 AM PDT by a6intruder
[ Post Reply | Private Reply | To 18 | View Replies]

To: MarMema
I've said it before and I'll say it again. One of the best ways to protect yourselves from e-mail viruses is to access your mail via mail2web.com. Just go there and log in using your e-mail address and password. Most of the major ISP e-mails can be accessed from that site. Also you can access your e-mail from other computers. Any messages that I don't recognize, I delete and it never shows up in my Outlook Express.
27 posted on 04/26/2002 6:18:44 AM PDT by PJ-Comix
[ Post Reply | Private Reply | To 2 | View Replies]

To: JohnHuang2
Note to self: Don't use "so cool a flash,enjoy it" in the subject line in next e-mail to boss.
28 posted on 04/26/2002 6:20:46 AM PDT by Larry Lucido
[ Post Reply | Private Reply | To 1 | View Replies]

To: Larry Lucido
mail2web™ is an Internet based email client that allows you to pick up your email from almost any POP3 or IMAP4 email server. Instead of offering another web based email service like Hotmail© or Yahoo Mail©, mail2web lets you use your present present email account. You simply enter your email address and password to access your inbox. You can then read, reply and forward your messages. You can even delete large attachments without first downloading them!
29 posted on 04/26/2002 6:24:42 AM PDT by PJ-Comix
[ Post Reply | Private Reply | To 28 | View Replies]

To: AppyPappy
Click on the folder, click on View and click on Preview Pane to turn it off and on.

I don't have a 'preview' pane in 'view'

I'm using OE6.

wassup?

30 posted on 04/26/2002 6:32:25 AM PDT by JimVT
[ Post Reply | Private Reply | To 6 | View Replies]

To: JimVT
This is for Outlook. For OE, View, Layout, turn off Show Preview Pane
31 posted on 04/26/2002 6:38:19 AM PDT by AppyPappy
[ Post Reply | Private Reply | To 30 | View Replies]

To: diotima
This is what probably got your computer infected.
32 posted on 05/01/2002 9:20:22 AM PDT by anymouse
[ Post Reply | Private Reply | To 1 | View Replies]

To: anymouse; all
I thought so too. I scanned my computer with Norton Anti Virus and it found nothing. Then I downloaded Klez virus cleaner and it said it found nothing also. Hmm....any more suggestions?
33 posted on 05/01/2002 9:33:02 AM PDT by diotima
[ Post Reply | Private Reply | To 32 | View Replies]

To: diotima
The problem is that you downloaded this phoney virus checker 'Klez', which actually installed that virus.

Download the latest NAV virus definitions and then run NAV again. I bet if will show the 'Klez' virus is infecting your computer. Best to do a NAV scan from the emergency boot disk after the windows-based NAV scan just to make sure it really is completely gone. Otherwise follow the instructions in my FReepmail.

34 posted on 05/01/2002 9:55:14 AM PDT by anymouse
[ Post Reply | Private Reply | To 33 | View Replies]

To: anymouse
i ran a copy of KLEZ through a binary editor and extracted the following set of strings from it...if these are activated as windows commands, this little critter will do nasty things to an infected computer...


NoFileUrl


NoFolderOptions
NoChangeStartMenu


NoWindowsUpdate
NoSetActiveDesktop

NoForgetSoftwareUpdate

NoMSAppLogo5ChannelNotify


ForceCopyACLWithFile



NoResolveTrack

NoResolveSearch
NoEditingComponents
NoMovingBands


NoCloseDragDropBands



NoClosingComponents
NoDeletingComponents



NoAddingComponents

NoComponents



NoChangingWallPaper
NoHTMLWallPaper
ActiveDesktop


NoCustomizeWebView

ClassicShell



ClearRecentDocsOnExit


NoFavoritesMenu
NoActiveDesktopChanges

NoActiveDesktop
NoRecentDocsMenu



NoRecentDocsHistory
NoInternetIcon

NoSettingsWizards


NoLogoff



NoNetConnectDisconnect

NoViewContextMenu


NoTrayContextMenu


NoWebMenu


LinkResolveIgnoreLinkInfo


NoCommonGroups

EnforceShellExtensionSecurity


NoRealMode

WinOldApp


MyDocsOnNet
NoStartMenuSubFolders


NoAddPrinter



NoDeletePrinter
NoPrinterTabs


RestrictRun
NoStartBanner


NoNetHood


NoDriveTypeAutoRun

NoDriveAutoRun

NoDrives



NoFind

NoDesktop


NoSetTaskbar



NoSetFolders



NoFileMenu

NoSaveSettings

NoClose
NoRun


35 posted on 05/01/2002 11:54:49 AM PDT by atafak
[ Post Reply | Private Reply | To 34 | View Replies]

To: JohnHuang2
Virus creators are getting lazier by the day. If virus creators had any marbles, they would create viruses for Linux and Macs instead of Windows. I mean there is almost NO challenge in creating a virus for Windows, but Linux and Macs would be tougher to do.
36 posted on 05/01/2002 12:31:54 PM PDT by Paul C. Jesup
[ Post Reply | Private Reply | To 1 | View Replies]

To: atafak; diotima
Atafak, thanks for the confirmation of 'Klez' virus creation rather than deletion.

diotima, hopefully NAV can save most of your data and wipe this filth from your machine.

37 posted on 05/01/2002 2:37:36 PM PDT by anymouse
[ Post Reply | Private Reply | To 35 | View Replies]

To: Taxman
ping
38 posted on 05/02/2002 8:02:31 PM PDT by dixie sass
[ Post Reply | Private Reply | To 1 | View Replies]

To: diotima
Dio, Klez showed up in my computer Tuesday. I have had a time trying to get it out. It disquises itself extremely well. I tried everything that was suggested. This critter will kill any anti-virus program you have.

Also, it would not let me install any anti-virus programs. Ate them as soon as I tried install them. I was at the point that I was ready to find magnet and run it over the hard drive and then take it out and shoot it. Put it out of my misery. I have had a very short fuse for the last two days.

The only thing that has worked was the Symantec link above. It was in my registry. I can't access my email program. It is a very virulent nasty bug.

It has mess with a lot of stuff in my 'puter and I can't access several things right now, but the bug is gone (fingers crossed, knock on wood, and several thousand prayers), I hope for good.

39 posted on 05/02/2002 9:39:41 PM PDT by dixie sass
[ Post Reply | Private Reply | To 33 | View Replies]

To: dixie sass
Now I am getting ready to install Norton's 2002 and hopefully...
40 posted on 05/02/2002 9:41:29 PM PDT by dixie sass
[ Post Reply | Private Reply | To 39 | View Replies]

To: JohnHuang2
I have received five of these messages. It all happened over the weekend, and I haven't had one since.
41 posted on 05/02/2002 9:42:43 PM PDT by dougherty
[ Post Reply | Private Reply | To 1 | View Replies]

To: dixie sass; Ms. Antifeminazi; anymouse
Welcome to the family. I think MAF gave it to me....;^)

I used McAfee to get rid of it, I think...I hope.

42 posted on 05/02/2002 9:47:48 PM PDT by diotima
[ Post Reply | Private Reply | To 39 | View Replies]

To: JohnHuang2
Friend of mine who uses MS Internet Explorer & MS Outlook got hit with this worm last week. It sent infected mail to everyone in her address book. Happily, Outlook isn't my e-mail client, so I could open the bugger with no probs. Open???, you say? Yes, curiousity got the better of me, but all's swell that ends swell. :-)
43 posted on 05/02/2002 9:57:52 PM PDT by k2blader
[ Post Reply | Private Reply | To 1 | View Replies]

To: diotima
This virus has been ugraded to a 4 per symantec yesterday.

My apologies to my Freeper friends. I think I got it from my husband. ;)

44 posted on 05/02/2002 10:04:38 PM PDT by Ms. AntiFeminazi
[ Post Reply | Private Reply | To 42 | View Replies]

To: Ms. AntiFeminazi
...and I thought that he was such a nice guy. Tell him hello for me MAF.
45 posted on 05/02/2002 10:31:40 PM PDT by dixie sass
[ Post Reply | Private Reply | To 44 | View Replies]

To: Ms. AntiFeminazi
I just scanned last night, maybe I should scan again...I feel so dirty MAF. How could you? I trusted you....

LOL. I never had a virus before.

46 posted on 05/03/2002 8:16:17 AM PDT by diotima
[ Post Reply | Private Reply | To 44 | View Replies]

To: diotima; Dixie Sass
He is a nice guy. I'm sure that's why I caught the virus. lol.

Seriously dio, I think you may have gotten it from me. We were in the middle of an e-mail exchange when I caught it from somewhere else. Not that I can trace it or prove it, but the timing is a bit coincidental.

47 posted on 05/03/2002 8:23:06 AM PDT by Ms. AntiFeminazi
[ Post Reply | Private Reply | To 46 | View Replies]

To: Ms. AntiFeminazi
I still can't get an anti-virus reloaded on to my machine. I think that critter is still hiding somewhere. It had gotten into the registry and I still can't fix my email program. I will never open anything that says Basil or Sas again! Oh well, back to figuring this and other problems out. Have fun today girls!!
48 posted on 05/03/2002 8:43:05 AM PDT by dixie sass
[ Post Reply | Private Reply | To 47 | View Replies]

To: Lazamataz
Can you give me more instructions on where to set up the preview pane settings?

For Outlook:

Click "View" and uncheck "Preview pane" and "Auto Preview."

For Outlook Express:

Click "View" "Layout" and uncheck the "Preview Pane" option.


49 posted on 05/03/2002 8:53:41 AM PDT by Alouette
[ Post Reply | Private Reply | To 5 | View Replies]

To: Alouette
Thank you, French woman. :o)

Maybe I have been all wrong about the French.

BUT THE CANADIANS ARE STILL EVIL! EVVVVILL, I SAY!!!

50 posted on 05/03/2002 8:56:36 AM PDT by Lazamataz
[ Post Reply | Private Reply | To 49 | View Replies]


Navigation: use the links below to view more comments.
first 1-5051-56 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson