Slashdot Mirror
Klez, The Virus that Keeps on Giving
kylus writes "Wired is running a story about the continued escapades of the Klez virus, and the damage--both to finances and reputations--that it is leaving behind. Between emails from a dead friend and porno spam appearing to be sent from a priest, I think "Don't Believe the 'From' Line" is the correct lesson."
God bless microsoft email viruses. I'm on a modem for a few weeks and downloading
countless megs of mail viruses is extremely frusterating. Course I'm still
getting sircams.
After getting infected with sircam (My mcafee wasn't updating or scanning properly for some reason) I decided to say screw it, and start scanning email on my server. Now, anything that comes in, gets scanned firts. If f-prot can't find anything, then it gets delivered, otherwise it never show up in my inbox. If you want a look at what I did, check out my scanner.
They infect or have infected 7.2% of all computers. (more than any other virii)
A windows version for cleaning your pc of Klez. (and removes Nimbda, Melissa, etc.)
had 300 emails waiting for me, from NAV for exchange when I got into work ....all of em blocking Klez (all from external :) )...what I want to know is why exim (all internet mail goes through an smtp box) acceppted em in the first place...it's configured to not accept emails wiht .exe's
hey ho.
The number of virus alerts I get from my mail gateway has been inundated with Klez for the last week or so. Identifying remote infections was at least possible with Magistr variants, as it only did minor iterative changes to email addresses. Klez lives on an entirely different stratum of nuisance.
"Course I'm still getting sircams"
I've been working for 2.5 years for a company that uses Exchange and Outlook. Most of my friends and colleagues use Outlook or Outlook Express at work and home, although I still use Netscape for personal stuff. I've received 2 email viri ever, and neither of them were the "common" ones like Melissa or SirCam. It leaves me wondering if people are making a big fuss out of nothing, and being a bit sensationalist or simply an anti-Microsoft bigot.
The worst thing about that virus is that it has massively hit a lot of mailing-lists.
Interesting threads on mailing lists died because of this. People got insulted although they didn't send anything. A lot of people unsubscribed from mailing-lists due to this.
So people installed antivirus software, personal firewalls, etc. The result was that on mailing-list, instead of having tons of viruses, we got tons of "alert: you have sent a virus, it has been removed by our robot", that is as frustrating as the original virus.
Thanks a lot to Microsoft for being responsible of the most annoying viruses so far.
{{.sig}}
The patch that prevents this has been out for over a year now. It's downloadable here. Microsoft included the patch with IE6 and IE5 SP2, so if you have either, you don't need it.
Good dose of blame goes all around here.
I've finally had it: until slashdot gets article moderation, I am not coming back.
Klez passed through my work a ways back and ever since then we've all been getting all kinds of spam. From what we can figure, the virus replied to all kinds of spam with the From line set to everybody's email address, including mine. So even though I hardly ever give my email away except for work issues, i'm now inundated with spam. Makes me think that someday some spammer out there will write a virus solely to collect email addresses.
MIMEDefang
stopped Klez cold at my clients' sites.
Unfortunately Microsoft can't take ALL the blame for the problems of Klez... The SMTP itself is inherently insecure to begin with and anyone can send mail that looks like it is from anyone else. Of course you can deduce that the mail is probably not from the source it says it is by tracing the SMTP headers back, but that's esoteric geek knowledge that not many people have relative to the total number of people who use email.
We just finished replacing GroupWise 5.5 with Exchange 2000 at work (Fortune 1000 global company) 3 weeks ago. We run Norton AV Corporate (push down new defs the minute they come out). We are running Win2k 75%, Win95 25%. All Win2k machines are SP2 and Feb 2002 security update. We haven't seen *1* instance of this lovely virus as the desktop. Actually, we haven't seen an email virus strike yet (crossing fingers). Hire good people, you get good results. Jason
Ever feel like you are driving the getaway car?
Unfortunately Microsoft can't take ALL the blame for the problems of Klez... The SMTP itself is inherently insecure to begin with and anyone can send mail that looks like it is from anyone else.
But only Microsoft provides a hands off and automagic way for somebody to take advantage of the insecurities in SMTP with little trouble.
Thats what is so bad about these little episodes. SMTP has existed since the early 70's, yet e-mail born viruses that take advantage of the SMTP header spoofing have only existed a few years.
Hmm.....
Do you have Linux and a DotPal? Click here now!
Um, no. Ever heard of Nerve.com? Janesguide.com? Suicidegirls.com? (I'm not affiliated with any of those)
While the bulk of adult sites are get-rich-quick operations that either send spam or operate affiliate programs that encourage *other* people to send spam on their behalf, there are decent sites that have good reputations, at least among people who don't substitute stereotypes for individual opinions.
Cheers
-b
I got sick of all the spam, all the chain letters and all of the virus's. So I decided to run my own small mail server. I changed my email address and only gave it to people that would not open foolish attachment, and would not forward crap on to me.
:-)
Running linux the virus's aren't a problem, but downloading and the wadding through hundreds of emails sucked.
I then use procmail along with spam assassion. Now when I check my email there is usually one or two messages, and they are relivent.
Even the mailing lists I'm subsribed to get put in a sepereate folder.
I can't complain at all anymore.
What about those less the brillent friends that are still affected? Well I leave icq and aim running so they can just leave me a message that way.
Hey if my mother can avoid getting infected with these stupid virus's so can you!
I am the network administrator for the Absentee Shawnee Tribe of Oklahoma, recently we were assaulted by no less than 5 variants of the klez worm. Klez.C,E,F,G, and H... WATCH OUT FOR Klez.H!!! It is stinking creepy smart! Not only does it play the normal irritating klez crack games with your email system, it also knows how to delete your antivirus software (I've observed it doing this to Norton, McAfee, and InoculateIT), but worst of all, given time it actually knows how to write into motherboard and video card bios space on reboot with win9x! (it does this even if the stupid "boot virus protection" is enabled in the bios and bios flashability is TURNED OFF! This is NOT a joke or a prank, this thing is freaking dangerous. I've already sent emails to Computer Associates, Norton, and McAfee... be careful people, be bloody careful
-----------------------------------------
Remove the Greed which plagues mankind.
Well, science terminated WWII.
An educated guess is that the shortest conflicts
where those where one of the participants had
access to (or developed ) a superior weapon
(sticks, fire, bows, catapults, atomic bombs etc),
The antithese would be WWI where the technical
level was equal.
No, *the* most interesting quiestion is; How many
wars has science prevented? How many has religion?
I finaly printed my address book out on paper. I put the address on it as a barcode. Now I e-mail people and put in addresses in via the free scanner provided by Radio Shack. Now if everyone would delete their electronic address books, much of the MS spread security problems would go away.
Not many people would drop the convience so I don't see this as working. Too many users just can't be bothered to keep up on security and are way too willing to run an attachment sent to them that is supposed to keep them from getting a virus. It's OK to send me a virus warning. Don't send me an attachment to fix it. I'll check the usual trusted sources for the description and measures to fix it. Too many viruses are spread via social engineering.
The truth shall set you free!
I wonder how many responses to Klez emails bounce back with an "address unknown" error?
Peter
omputer science and computer security experts have been saying for years that Micros~1 hasn't got the first fscking clue when it comes to writing solid, reliable, secure code. This despite the fact that there have been several examples of, if not ideal solutions, good first approaches to the problem. Indeed, to create WinNT, Microsoft snarfed the VMS team from DEC, a bunch of guys who understood those principles.
And yet, despite the mountains of examples both within and without the company, despite the millions of computers blue-screening every damned day, Microsoft willfully persists in making the same stupid mistakes.
As is well-known, Word macro viruses were a big problem in years past. This was because Microsoft made a series of impossibly moronic decisions:
* To incorporate a macro facility into Word directly (rather than as an external engine driven by IPC protocols, where access controls can be applied in a uniform manner),
* To embed the macros into the Word documents directly, rather than as separate macro files (thus making it impossible for the user to distinguish between a normal document and an "active" one),
* To set the default condition to run the macros automatically upon document loading, without informing the user,
* To, by default, not inform the user that any of this idiocy was going on.
Okay, fine, so Microsoft got bitten by their would-be cleverness, but they cleaned up their act, right? They learned their lesson, right?
No. Not only did they refuse to acknowledge that they had fscked up royally, they went and deliberately committed the same errors again and again:
* Not only does IE uncritically implement JavaScript, it also throws in Visual Basic scripting and ActiveX, all of which are turned on by default. This condition is identical to that which propogated the Word macro virus fiasco. Even their "secure" execution environments hasn't prevented hostile Web sites from hijacking the browser.
* Outlook likewise, without user intervention, will extract and launch embedded content while simultaneously hiding it from the user. The damn thing doesn't even check to make sure the MIME type and the filename extension are consistent.
There's a term for this kind of behavior: Willful negligence. Oh, you can point out that there are security update downloads. But you can't ignore the fact that, if Microsoft had followed basic security principles, if they had learned from their own history -- hell, if they'd even extended common courtesy to their users -- this sort of thing wouldn't have happened in the first place.
This isn't an honest mistake. This is a pattern with over twenty years of history behind it.
Any responsibility born by Microsoft is equalled by the responsibility born by those users who don't apply security updates and don't run up-to-date firewall and virus checking software.
I agree that uneducated users are a big problem. But, especially with the advent of broadband connectivity, what Microsoft has effectively done is to give a loaded Uzi with the safety off to eight-year-olds, and then fail to train them in its use or even tell them where the safety lock is.
Microsoft touts its products as turnkey, ready-to-go, fire-and-forget, no setup, no configuration, no need to learn computer-ese, just sit down and become productive immediately. This is misleading in the extreme. Training is required; proper configuration is required (because Microsoft keeps setting the defaults wrong). As such, I feel Microsoft bears a significant burden of responsibility for the havoc their software has wreaked on the Internet.
Conformity is the jailer of freedom and enemy of growth. -JFK
Amusingly, the virus is:
(a) finding list subscription addresses in the inbox
(b) emailing them
(c) finding list subscription confirmation address in the inbox
(d) emailing them.
So the virus is auto-subscribing people to lists they don't necessarily want to be on, or are already on.
-- koschei