Skip to comments.Evil e-mail tricks PC users: 'Klez' disguises self with variety of subjects, senders
Posted on 04/24/2002 11:41:24 PM PDT by JohnHuang2
If you're seeing a sudden surge in the amount of e-mail in your inbox, chances are it has little do with your popularity.
Delete buttons on personal computers are getting a workout this week thanks to a tricky e-mail worm tunneling across America and the rest of the world.
Known as "Klez," the worm has been bombarding mailboxes with unsolicited messages, replicating itself and changing its own appearance by displaying a variety of subjects and senders.
"It's a worm that spreads really quickly," said Sharon Ruckman, senior director for anti-virus software maker Symantec's security response team. "And it carries an additional payload that can do some damage."
That additional payload is a virus known as "Elkern," which tries to infect other systems by sharing information. When combined with Klez, the two create problems that go beyond large amounts of incoming mail.
"It can release confidential information on your system which is never a good thing to have happen," Ruckman told WorldNetDaily. "It also has the ability to remove anti-virus software."
Klez is more deceptive than some previous problem e-mails, as it has a wide variety of titles displayed in the subject line, and can latch on to an e-mail address of someone a user knows and insert it in the "From" field, making users more apt to open it and thus get infected.
Some of the titles listed in infected mails include:
Klez also uses some combinations of random words in subject lines, to make it even more confusing. The random words include:
Some messages even appear to be trying to help PC users by offering a patch or removal tool for Klez or Elkern, but are nothing more than the worm itself.
"They're trying to get people to open it," Ruckman said regarding the virus writers' clever deception skills. She adds her company does not e-mail people randomly with removal tools.
Symantec has ranked Klez at a category 3 medium risk on a scale of 1 to 5, with 5 being the most dangerous.
"That means it's spreading in the wild more quickly, but it's not as serious as [other viruses like] Melissa or LoveBug," Ruckman said. She also says the Nimda virus which debuted last year is still problematic.
According to anti-virus software maker Trend Micro's world virus tracking center, Elkern and Klez are currently the top two ranked viruses. In the past 24 hours, they are estimated to have infected over 400,000 files globally.
Several strategies can be employed in preventing computers from being infected. Home PC users should avoid opening the messages and delete e-mails with attachments, especially if something appears strange in the subject or sender's line.
"Don't be curious about e-mail," Ruckman said. "Just delete it." Once deleted, users should also empty their trash bins.
She also recommends having anti-virus software on your machine, plus the "latest and greatest software patches," which can be downloaded from Microsoft.
Corporate e-mail users can have their system administrators attack the problem by filtering out certain attachments and subject lines at the gateway of their mail servers.
If a computer has been infected, free removal tools are available from both Symantec and Trend Micro.
But despite assurances from anti-virus companies, some organizations like ACT Teleconferencing in Hong Kong are having trouble curing the problem.
"Irrespective of what Symantec or other vendors say, there has been no way to stop this worm in the short term," Bob Deverell of ACT told the South China Morning Post this week.
"We have been struggling to clean our machines," he said. "We haven't been able to stop it and we're very competent."
In Outlook Express, the only way to delete a message is to open the message. You have to highlight the message, which opens it, in order to hit the delete key.
I have received a few e-mails with this virus and Norton brought them to my attention. Norton was not able to do anything with them, so I deleted the messages manually and then ran virus scan again, after making sure that I had the latest Norton update.
I noticed that when I would open the message (NOT the attachment), that a web page would automatically come up.
I have come up clean with a Norton virus scan, but I can't help but wonder about that web page that opened up.
I've always believed that you cannot pick up a virus unless you open the attachment, but lately I've been hearing that just opening the e-mail message can spread the virus.
Click on the folder, click on View and click on Preview Pane to turn it off and on.
I had Preview Pane enabled and that did it. My husband had to bring home the Symantec vaccine that we ran 4 times.
The bug managed to replicate itself each time I tried to launch a program. Very nasty!
That was what was upsetting. Here I am, paying for a subscription to Norton AV, and it was helpless.
Sorry to hear that you got hit.
No, you don't have to open it. Just drag it over to Deleted Items!
My Norton 2002 got it and quarantined it.
I had to use this here
Symantec has provided a tool to remove infections of W32.Klez.E@mm, W32.Klez.H@mm, W32.ElKern.3587, and W32.ElKern.4926. Note on W32.Klez.gen@mm detections: W32.Klez.gen@mm is a generic detection that detects variants of W32.Klez. Computers that are infected with W32.Klez.gen@mm have most likely been exposed to either W32.Klez.E@mm or W32.Klez.H@mm. If your computer is detected as infected with W32.Klez.gen@mm, download and run the tool. In most case, the tool will be able to remove the infection. What the tool does The W32.Klez Removal Tool does the following: It terminates all processes that are associated with W32.Klez.E@mm, W32.Klez.H@mm, W32.ElKern.3587, and W32.ElKern.4926. It deletes the W32.Klez.E@mm and W32.Klez.H@mm service(s). It removes the registry entries that were created by W32.Klez.E@mm and W32.Klez.H@mm. It detects all types of W32.Klez.E@mm, W32.Klez.H@mm, W32.ElKern.3587, and W32.ElKern.4926 infections, and repairs files that can be repaired.