Slashdot Mirror

← Back to Stories (view on slashdot.org)

Klez, The Virus that Keeps on Giving

Posted by CmdrTaco on from the isnt-that-special dept.

kylus writes "Wired is running a story about the continued escapades of the Klez virus, and the damage--both to finances and reputations--that it is leaving behind. Between emails from a dead friend and porno spam appearing to be sent from a priest, I think "Don't Believe the 'From' Line" is the correct lesson." God bless microsoft email viruses. I'm on a modem for a few weeks and downloading countless megs of mail viruses is extremely frusterating. Course I'm still getting sircams.

16 of 683 comments (clear)

  1. Save your bandwidth by shepd · · Score: 5, Informative

    telnet mail.xyz.com 110

    user (username)
    pass (password)
    list
    top (number of message to check) (kb to read)
    dele (message to delete)
    retr (number of message to read entirely)
    quit

    Quicker, cheaper, easier. This was one of the best tips I got from a friendly sysadmin. :)

    Of course, I would ask why CmdrTaco didn't check the RFC, but hey, who am I to question slashdot's leader? ;)

    --
    If you could be told what you can see or read, then it follows that you could be told what to say or think - BoC
    1. Re:Save your bandwidth by rediguana · · Score: 4, Informative

      If you want a pretty windoze gui for doing the same thing, and free as in 'beer' / nagware, try Mailwasher. The ability to bounce spam and delete virii from POP boxs before downloading, not to mention dickheads who send huge emails is very useful. It has saved me numerous times.

    2. Re:Save your bandwidth by SysKoll · · Score: 3, Informative

      I totally agree, it's how I check my email from friends' machines when said friend does not want me to mess up with his POP account setup.

      However, it is time consuming to view each message this way.

      Small remark: the TOP command takes as arguments the message number and the number of lines (not the number of kilobytes) to display.
      TOP 1 20
      will display the first twenty lines of message 1.

      --

      --
      Mad science! Robots! Underwear! Cute girls! Full comic online! http://www.girlgeniusonline.com/

  2. Try qmail-scanner by Havokmon · · Score: 4, Informative
    Qmail Scanner uses the qmailqueue patch, supports your favortite virus scanner (FProt free for Linux), MIME decoding, and hacked up MS email.

    Works wonders

    --
    "I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)
  3. Virii? What Virii? by kindbud · · Score: 5, Informative

    Ever since we stopped allowing people to receive executable attachments (thanks to MIMEdefang!), the virii have all but disappeared. There is no need to scan for virii on a mail server. Just get rid of executable attachments (there's a big list of them in MIMEdefang's example configuration). All these trojans use stupid Outlook auto-execute tricks/bugs/features to propagate. Executables shouldn't be sent as a direct attachment anyway. Either wrap it up in a zip file (the recipient has no excuse when he infects himself) or put it up on the ftp site and send a URL. This has got to be one of the basic elements of securing a network where Outlook users lurk - no executable attachments (picture Joan Crawford on a rampage).

    MIMEdefang also gives us the ability to call Mail::Spamassassin from a sendmail Milter, something Spamassassin itself does not yet support. The latest version also supports the File::Scan module for writing virus scanners in perl.

    --
    Edith Keeler Must Die
  4. Help For Windows Users by Servo5678 · · Score: 3, Informative
    I use a freeware, non-spyware, small Windows program called Popcorn to check all my e-mail before I download it to Outlook Express. Popcorn does not support attachments at all, it shows received attachments as base64-encoded text. It's great for filtering out junk, I just delete it from the server directly.

    http://www.ultrafunk.com/products/popcorn/ is the website for the program.

    I have nothing to do with the program or its development, I'm just a happy user.

  5. Klez Virus by feldkamp · · Score: 3, Informative

    We got hit by Klez (AMG; allmusic.com). Let me tell you, it SUCKED. This was a really potent virus. It got in through our video department (somebody opened an email...) and from there, it spread through some shared network apps. Within an hour or so, virtually everyone was toasted.

    Since this one spread through exe's, and since it was one strain of like 20 different Klez variants, cleaning was a real bitch. Luckily, I'm in programming, so I didn't have to do much of the visit-everyone's-machine thing. I did have to format my box, tho, as all my applications (including system apps) were hosed.

    mike feldkamp

  6. Re:modem's and email - the solution by reaper20 · · Score: 3, Informative

    hmmm, that web interface look suspiciously like squirrelmail.

    IMAP Rules, plain and simple. Take an old PC, throw Debian on it, and use courier+postfix+squirrelmail+procmail+spamassassin +maildirs and all mail problems tend to disappear.

  7. f-prot and perl CAN'T SOLVE THE REAL PROBLEM by doja · · Score: 3, Informative

    The real problem is that Klez is emailing itself from an infected machine to a flood of people using your and my email address in the From: line. Not only does this cause a ton of people to respond to you and me saying "you must have a virus" or thinking that we really think that this penis enlargement solution works (or that we need one) -- but, it distributes your email address to others who may potentially get infected themselves, who may in turn infect others. Next thing you know, your email address that you've been so diligent about keeping somewhat private is inundated with spam and viruses.

  8. Re:MOD THIS UP by S.Lemmon · · Score: 4, Informative
    Yeah right - it's just a cut and paste job from sophos' web site and they didn't even get the right virus!

    It's a description of badtrans not klez.

  9. Re:Klez, Klez.h, Klez.I, over 7.2% by dodald · · Score: 3, Informative
    He may not, but I do :), not sure how acurate this stuff is be here goes.

    http://news.zdnet.co.uk/story/0,,t269-s2109354,00. html

    --
    101010b 2Ah 52o
  10. My OSS plug... (Not off-topic though) by ryanvm · · Score: 3, Informative

    I got tired of dealing with my users' virus problems a long time ago. So I wrote batemail. It's a Perl script that you slip between your MTA (e.g. Sendmail) and your local mailer (e.g. Procmail) that filters out ALL executable attachments.

    I've been using it in my production environment for over a year now and it works like a charm. And it's open source, too!

    1. Re:My OSS plug... (Not off-topic though) by JoshuaDFranklin · · Score: 5, Informative

      Dude... just use Procmail's built-in capabilities.
      No need to put an interpreted script in between
      your MTA and MDA. Out of the goodness of my heart,
      here's some actual working stuff to put in your /etc/procmailrc that dumps all email with
      executable attachments in /var/virusdump/:
      #/etc/procmailrc
      VIRUSLOG=/var/ virusdump/viruslog

      :0 # Use procmail match feature
      * ^To:\/.*
      {
      HTO = "$MATCH"
      }

      :0 # Use procmail match feature
      * ^From:\/.*
      {
      HFR = "$MATCH"
      }

      NL="
      "

      :0
      *.for virususer;.*
      /var/virusdump/virususer

      :0
      *^Content-type:.*
      {
      :0 HB
      *name=".*\.(vbs|wsf|vbe|wsh|hta|scr|pif|exe|bat|js )"
      {
      :0c
      ! virususer

      :0 fhw
      | (/usr/bin/formail -r; \
      echo -e "This is an auto-generated message on behalf of${HTO}:\n\
      \n\
      The email referenced above, which was sent from your address, \n\
      had a virus-vulnerable attachement (such as .EXE, .VBS, .PIF, etc).\n\n\
      This mail server no longer accepts mail with virus-vulnerable \n\
      attachments and the email has been quarantined.\n\
      Please try resending your attachment in a safe format such as ZIP. \n\
      Contact support@iocc.com if you have any questions")\
      | mail -s "Possible virus deleted" "${HFR}"

      :0
      | echo "VIRUS From:${HFR} To:${HTO}" >> $VIRUSLOG

      :0
      /dev/null
      }
      }

  11. Re:Just another reason... by Mike+Schiraldi · · Score: 3, Informative

    Using a Mac (or, in my case, Linux) isn't going to help you. The problem isn't that you get infected with the virus, it's that other people who are infected are going to either:

    1. Send you tons of mail with huge attachments

    or

    2. Send other people tons of mail with huge attachments and list you as the return address

    --

    --
    Mod up a post Rob doesn't like and you'll never mod again

  12. Re:Scripts by afidel · · Score: 3, Informative

    Actually it's because some very large clients with tens of thousands of seats have built entire middleware on exchange/outlook. Things like a remote salesman gets a PO from a client, they go into a product catalog in their web browser, it creates the order, places it in their outbox, then when they get in the office it fires the email which automatically gets routed based on rules on the exchange side of things (like if over x million skip a few middle managers etc). Nowadays most of this would be done with intranets and java middleware driving the business logic, but for companies that have tens of millions invested in their solutions they don't want outlook to go back to being an email client.

    --
    There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
  13. Re:Scripts by Captain+Large+Face · · Score: 3, Informative

    This can easily be done with a call to a remote image generating script, which passes a unique id as a argument.