Klez, The Virus that Keeps on Giving

kylus writes "Wired is running a story about the continued escapades of the Klez virus, and the damage--both to finances and reputations--that it is leaving behind. Between emails from a dead friend and porno spam appearing to be sent from a priest, I think "Don't Believe the 'From' Line" is the correct lesson." God bless microsoft email viruses. I'm on a modem for a few weeks and downloading countless megs of mail viruses is extremely frusterating. Course I'm still getting sircams.

Not from Line

Look in header for RETURN PATH. That's where it came from. Friend at Michigan State was infected...

Save your bandwidth

[shepd]

telnet mail.xyz.com 110

user (username)
pass (password)
list
top (number of message to check) (kb to read)
dele (message to delete)
retr (number of message to read entirely)
quit

Quicker, cheaper, easier. This was one of the best tips I got from a friendly sysadmin. :)

Of course, I would ask why CmdrTaco didn't check the RFC, but hey, who am I to question slashdot's leader? ;)

Re:Save your bandwidth

[rediguana]

If you want a pretty windoze gui for doing the same thing, and free as in 'beer' / nagware, try Mailwasher. The ability to bounce spam and delete virii from POP boxs before downloading, not to mention dickheads who send huge emails is very useful. It has saved me numerous times.

Re:Save your bandwidth

[SysKoll]

I totally agree, it's how I check my email from friends' machines when said friend does not want me to mess up with his POP account setup.

However, it is time consuming to view each message this way.

Small remark: the TOP command takes as arguments the message number and the number of lines (not the number of kilobytes) to display.
TOP 1 20
will display the first twenty lines of message 1.

Try qmail-scanner

[Havokmon]

Qmail Scanner uses the qmailqueue patch, supports your favortite virus scanner (FProt free for Linux), MIME decoding, and hacked up MS email.

Works wonders

Virii? What Virii?

[kindbud]

Ever since we stopped allowing people to receive executable attachments (thanks to MIMEdefang!), the virii have all but disappeared. There is no need to scan for virii on a mail server. Just get rid of executable attachments (there's a big list of them in MIMEdefang's example configuration). All these trojans use stupid Outlook auto-execute tricks/bugs/features to propagate. Executables shouldn't be sent as a direct attachment anyway. Either wrap it up in a zip file (the recipient has no excuse when he infects himself) or put it up on the ftp site and send a URL. This has got to be one of the basic elements of securing a network where Outlook users lurk - no executable attachments (picture Joan Crawford on a rampage).

MIMEdefang also gives us the ability to call Mail::Spamassassin from a sendmail Milter, something Spamassassin itself does not yet support. The latest version also supports the File::Scan module for writing virus scanners in perl.

Help For Windows Users

[Servo5678]

I use a freeware, non-spyware, small Windows program called Popcorn to check all my e-mail before I download it to Outlook Express. Popcorn does not support attachments at all, it shows received attachments as base64-encoded text. It's great for filtering out junk, I just delete it from the server directly.

http://www.ultrafunk.com/products/popcorn/ is the website for the program.

I have nothing to do with the program or its development, I'm just a happy user.

Klez Virus

[feldkamp]

We got hit by Klez (AMG; allmusic.com). Let me tell you, it SUCKED. This was a really potent virus. It got in through our video department (somebody opened an email...) and from there, it spread through some shared network apps. Within an hour or so, virtually everyone was toasted.

Since this one spread through exe's, and since it was one strain of like 20 different Klez variants, cleaning was a real bitch. Luckily, I'm in programming, so I didn't have to do much of the visit-everyone's-machine thing. I did have to format my box, tho, as all my applications (including system apps) were hosed.

mike feldkamp

Re:Virii? What Virii?

http://www.perl.com/language/misc/virus.html

The plural of virus is neither viri nor virii, nor even vira nor virora. It is quite simply viruses, irrespective of context. Here's why.

Re:Typical.

[feldkamp]

Careful... even if you have this patch, you can still get the virus from an exe on your network. This happened to me at work. All because I was a couple weeks behind updating my virus definitions... :(

All it taks is one doofus down the hall who opens that infected screen-saver file, or exe, com, etc. in his email to cause you a ton of grief.

Re:modem's and email - the solution

[reaper20]

hmmm, that web interface look suspiciously like squirrelmail.

IMAP Rules, plain and simple. Take an old PC, throw Debian on it, and use courier+postfix+squirrelmail+procmail+spamassassin +maildirs and all mail problems tend to disappear.

f-prot and perl CAN'T SOLVE THE REAL PROBLEM

[doja]

The real problem is that Klez is emailing itself from an infected machine to a flood of people using your and my email address in the From: line. Not only does this cause a ton of people to respond to you and me saying "you must have a virus" or thinking that we really think that this penis enlargement solution works (or that we need one) -- but, it distributes your email address to others who may potentially get infected themselves, who may in turn infect others. Next thing you know, your email address that you've been so diligent about keeping somewhat private is inundated with spam and viruses.

Re:MOD THIS UP

[S.Lemmon]

Yeah right - it's just a cut and paste job from sophos' web site and they didn't even get the right virus!

It's a description of badtrans not klez.

Re:f-prot and perl solved my problems

the latest (klez) didnt require you to double click on any attachments. the email itself was an html document, with an tag including the attachment in the document. The iframe'd attachment used the old (already patched) mime bug (claim to be audio, but really be an executable) to run automatically.

had these people opened the mail at all, the virus is executed.

of course, had they kept their version of windows/ie current, it wouldnt be a problem

Re:Really, how common are these things?

Some statistics:

• I receive about 10 worm/virus mails per day. There are some SirCams but most are Klez mails.
• About every other day I receive a message from some mailer daemon that one of "my" mails can't be delivered because it contains a virus. There are probably many recipients which are not protected by filtering mailer daemons, so the real number of mails sent in my name is most likely much higher.
• When SirCam started to show up, ca. 100 per day ended up in my mailbox, the top 5 "From" TLD-domains were: com, net, ar, mx, kr. The TLD of the target address is "de". There was only 1 in 1000 SirCam mails coming from de.
• One of my email addresses is listed on many (1000+) webpages all over the world. Many different people have sent email to that address. Browser caches and Outlook address books are the places where current worms get their victims' addresses from (addresses to which mails are sent are automatically added to the address book.)

Re:Klez, Klez.h, Klez.I, over 7.2%

[dodald]

He may not, but I do :), not sure how acurate this stuff is be here goes.

http://news.zdnet.co.uk/story/0,,t269-s2109354,00. html

My OSS plug... (Not off-topic though)

[ryanvm]

I got tired of dealing with my users' virus problems a long time ago. So I wrote batemail. It's a Perl script that you slip between your MTA (e.g. Sendmail) and your local mailer (e.g. Procmail) that filters out ALL executable attachments.

I've been using it in my production environment for over a year now and it works like a charm. And it's open source, too!

Re:My OSS plug... (Not off-topic though)

[JoshuaDFranklin]

Dude... just use Procmail's built-in capabilities.
No need to put an interpreted script in between
your MTA and MDA. Out of the goodness of my heart,
here's some actual working stuff to put in your /etc/procmailrc that dumps all email with
executable attachments in /var/virusdump/:
#/etc/procmailrc
VIRUSLOG=/var/ virusdump/viruslog

:0 # Use procmail match feature
* ^To:\/.*
{
HTO = "$MATCH"
}

:0 # Use procmail match feature
* ^From:\/.*
{
HFR = "$MATCH"
}

NL="
"

:0
*.for virususer;.*
/var/virusdump/virususer

:0
*^Content-type:.*
{
:0 HB
*name=".*\.(vbs|wsf|vbe|wsh|hta|scr|pif|exe|bat|js )"
{
:0c
! virususer

:0 fhw
| (/usr/bin/formail -r; \
echo -e "This is an auto-generated message on behalf of${HTO}:\n\
\n\
The email referenced above, which was sent from your address, \n\
had a virus-vulnerable attachement (such as .EXE, .VBS, .PIF, etc).\n\n\
This mail server no longer accepts mail with virus-vulnerable \n\
attachments and the email has been quarantined.\n\
Please try resending your attachment in a safe format such as ZIP. \n\
Contact support@iocc.com if you have any questions")\
| mail -s "Possible virus deleted" "${HFR}"

:0
| echo "VIRUS From:${HFR} To:${HTO}" >> $VIRUSLOG

:0
/dev/null
}
}

Re:Just another reason...

[Mike+Schiraldi]

Using a Mac (or, in my case, Linux) isn't going to help you. The problem isn't that you get infected with the virus, it's that other people who are infected are going to either:

1. Send you tons of mail with huge attachments

or

2. Send other people tons of mail with huge attachments and list you as the return address

Re:Scripts

[afidel]

Actually it's because some very large clients with tens of thousands of seats have built entire middleware on exchange/outlook. Things like a remote salesman gets a PO from a client, they go into a product catalog in their web browser, it creates the order, places it in their outbox, then when they get in the office it fires the email which automatically gets routed based on rules on the exchange side of things (like if over x million skip a few middle managers etc). Nowadays most of this would be done with intranets and java middleware driving the business logic, but for companies that have tens of millions invested in their solutions they don't want outlook to go back to being an email client.

klez ? Use Postfix.

[little_fluffy_clouds]

in main.cf:

body_checks = regexp:/etc/postfix/body_checks

in body_checks:

/^begin(-base64)? [0-9]+.*(\.|=2E)exe(\?=)?(\.)?/ REJECT
/^[^]*(body|filename|name=).*(\.|=2E)exe(\ ? =)?(\.)?/ REJECT

You have to do the same two lines for bat, pif and scr (put them where the above two lines say exe) I could not paste them all due to the lameness filter telling me to use less junk characters.

Re:Klez.H, Hardware killer

[Artana+Niveus+Corvum]

PLEASE NOTE!!!
I have just recieved a reply from Computer Associates and this is not, I repeat NOT the same as Win32/Klez.H (klez.h@mm). I have been informed that CA will look into my findings. (I'm mailing them a bios chip wiped by the thing tomorrow afternoon)

ISPs are shying away from IMAP for regular lusers.

[dsandler]

Despite its superiority for most applications (including spamfighting), IMAP is still losing to POP and will continue to do so for some time. Why? Because ISPs (and other mailbox providers) don't like providing diskspace for their users' mailboxes. A huge mailspool is bad enough, but the default behavior of most POP clients will is to move a user's incoming messages from her inbox to her PC -- removing the burden from the provider.

It's a perfect case of service-provider myopia, too: if the technology were better applied, IMAP clients might be able to delete viral attachments (or IMAP servers might strip them out) before they're even downloaded, cutting down on virus retransmission, and eventually reducing the overall storage requirement of those users.

As with everything else, the best solutions to the spam problem will only be available to those savvy few (hey, that's you!). Unfortunately, just like with a communicable disease, you can't just cure a few people -- you have to cure the whole population.

Only grab the headers

[HaggiZ]

Of course the best way to stop this trash, especially if you are on a modem, is to only grab the headers and delete the stuff you obviously dont want.

Mailwasher is the best I've found for doing this. Not only will it delete from the server, but if it's a notorious spammer then you can tick the bounce box and it will reply with a user unknown error, hopefully meaning you'll never be hassled by those morons ever again.

Pretty effective, and made my life a whole lot easier. And best of all, from their page... "It's free. That's right, you can keep on using this program and it won't expire. You are offered the chance to register MailWasher and pay a price you think it is worth. Think of this payment as a tip - so please contribute something."

Enjoy peoples, and go easy on their server (if I had a decent connection myself, I'd post a mirror, but alas)

Klez can't Get You if you run Mozilla

[SailorBob]

I use either Netscape 4.x or Mozilla on all machines I'm responsible for. Apparently Klez doesn't build RFC compliant emails, such that the attachments don't show up in Mozilla. My girlfriend kept complaining that she was getting blank mails from all kinds of people. So I checked a few of the emails out via view source and what do you know? Klez! By the way, it's about 49k. No machine that I run has ever had a virus.

Simple rule: No Outlook, no Virii

Re:Scripts

[Captain+Large+Face]

This can easily be done with a call to a remote image generating script, which passes a unique id as a argument.

Re:Scripts

[x0n]

Klez isn't based on any embedded java/vb scripts in the email. It's just an executable attachement that may get automatically executed using an old MIME exploit (similar to one at least one *nix mail client had, PINE 3.92 I believe?). If it isn't run automatically on a patched client, the god damn muppet m$ user will run it anyway. you can't win.