Slashdot Mirror
Klez, The Virus that Keeps on Giving
kylus writes "Wired is running a story about the continued escapades of the Klez virus, and the damage--both to finances and reputations--that it is leaving behind. Between emails from a dead friend and porno spam appearing to be sent from a priest, I think "Don't Believe the 'From' Line" is the correct lesson."
God bless microsoft email viruses. I'm on a modem for a few weeks and downloading
countless megs of mail viruses is extremely frusterating. Course I'm still
getting sircams.
After getting infected with sircam (My mcafee wasn't updating or scanning properly for some reason) I decided to say screw it, and start scanning email on my server. Now, anything that comes in, gets scanned firts. If f-prot can't find anything, then it gets delivered, otherwise it never show up in my inbox. If you want a look at what I did, check out my scanner.
telnet mail.xyz.com 110
:)
;)
user (username)
pass (password)
list
top (number of message to check) (kb to read)
dele (message to delete)
retr (number of message to read entirely)
quit
Quicker, cheaper, easier. This was one of the best tips I got from a friendly sysadmin.
Of course, I would ask why CmdrTaco didn't check the RFC, but hey, who am I to question slashdot's leader?
If you could be told what you can see or read, then it follows that you could be told what to say or think - BoC
"Course I'm still getting sircams"
I've been working for 2.5 years for a company that uses Exchange and Outlook. Most of my friends and colleagues use Outlook or Outlook Express at work and home, although I still use Netscape for personal stuff. I've received 2 email viri ever, and neither of them were the "common" ones like Melissa or SirCam. It leaves me wondering if people are making a big fuss out of nothing, and being a bit sensationalist or simply an anti-Microsoft bigot.
The patch that prevents this has been out for over a year now. It's downloadable here. Microsoft included the patch with IE6 and IE5 SP2, so if you have either, you don't need it.
Good dose of blame goes all around here.
I've finally had it: until slashdot gets article moderation, I am not coming back.
Klez passed through my work a ways back and ever since then we've all been getting all kinds of spam. From what we can figure, the virus replied to all kinds of spam with the From line set to everybody's email address, including mine. So even though I hardly ever give my email away except for work issues, i'm now inundated with spam. Makes me think that someday some spammer out there will write a virus solely to collect email addresses.
A week or so I start getting all these emails from different mailbox administrators, etc. informing me that emails I was trying to send had invalid addresses.
I'm looking at them and it shows my address in the from area and it was mostly spam for beastiality sites. My wife went ballistic.
I got tons of them back as undeliverable. How many made it through? And now people think I was sending them spam for a porn site.
They were coming back to my wife's WIN98 machine, so she called MS. The help desk chick tells her "Someone else has a virus and it is sending out emails w/your address" So my wife says "What do I do?" and they tell her to update her virus definitions. My wife said, "But you just told me that the virus is not on my computer, someone else has it. Is there nothing that I can do?" the girl says "Well download new virus definitions and check for service packs"
The whole thing was rather humorous.
.
It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?
Ever since we stopped allowing people to receive executable attachments (thanks to MIMEdefang!), the virii have all but disappeared. There is no need to scan for virii on a mail server. Just get rid of executable attachments (there's a big list of them in MIMEdefang's example configuration). All these trojans use stupid Outlook auto-execute tricks/bugs/features to propagate. Executables shouldn't be sent as a direct attachment anyway. Either wrap it up in a zip file (the recipient has no excuse when he infects himself) or put it up on the ftp site and send a URL. This has got to be one of the basic elements of securing a network where Outlook users lurk - no executable attachments (picture Joan Crawford on a rampage).
MIMEdefang also gives us the ability to call Mail::Spamassassin from a sendmail Milter, something Spamassassin itself does not yet support. The latest version also supports the File::Scan module for writing virus scanners in perl.
Edith Keeler Must Die
Pretty funny.
Keep in mind the hundreds of priests now being wrongfully prosecuted due to a stererotype that is spreading like wildfire. Bear in mind how it is ruining their lives.
I love how on slashdot, insults and slander made about religion are modded as funny, yet if I were to say, "Porn from black people? What was it, pictures of fried chicken?" I'd be modded as a troll. It's all ignorance; it's all slander; it's all hatred. Stop modding self-righteous science-worshipping trolls like the parent up.
Although, I'm sure that now I'll be modded as a troll. Whatever.
Dare to think for yourself.
We dance to all the wrong songs.
--Refused.
Unfortunately Microsoft can't take ALL the blame for the problems of Klez... The SMTP itself is inherently insecure to begin with and anyone can send mail that looks like it is from anyone else. Of course you can deduce that the mail is probably not from the source it says it is by tracing the SMTP headers back, but that's esoteric geek knowledge that not many people have relative to the total number of people who use email.
The person who wrote this spent some time thinking of the way to do the most damage. This virus nails you to the wall the instant it infects someone who just has your email address. That was some vicious thinking. The problems caused by this virus actually extend into social engineering. Pure genius.
Makes you wonder what else they'll come up with...
Maybe someday we'll have security, and patch this sort of thing...
Hell is being intelligent in a world full of idiots.
I also use Outlook, and I have had no viruses. I suspect the reason is that neither of us has any friends.
It's hard to be religious when certain people are never incinerated by bolts of lightning.
That is what happens when you don't use protection
Yes. Remember. when you have unsafe email with
someone, you're having email with all the
other people that person's had unsafe email with...
or something like that.
Mod me down and I will become more powerful than you can possibly imagine...
Sig: What Happened To The Censorware Project (censorware.org)
IMAP would allow to get all the email, minus the atachments. You can pick which attachments you want. People, read the IMAP spec. It offers so much that ppl dont take advantage of.
Dude... just use Procmail's built-in capabilities. /etc/procmailrc that dumps all email with /var/virusdump/:/ virusdump/viruslog
:0 HBs )"
:0c
:0 fhw .EXE, .VBS, .PIF, etc).\n\n\
:0
:0
/dev/null
No need to put an interpreted script in between
your MTA and MDA. Out of the goodness of my heart,
here's some actual working stuff to put in your
executable attachments in
#/etc/procmailrc
VIRUSLOG=/var
:0 # Use procmail match feature
* ^To:\/.*
{
HTO = "$MATCH"
}
:0 # Use procmail match feature
* ^From:\/.*
{
HFR = "$MATCH"
}
NL="
"
:0
*.for virususer;.*
/var/virusdump/virususer
:0
*^Content-type:.*
{
*name=".*\.(vbs|wsf|vbe|wsh|hta|scr|pif|exe|bat|j
{
! virususer
| (/usr/bin/formail -r; \
echo -e "This is an auto-generated message on behalf of${HTO}:\n\
\n\
The email referenced above, which was sent from your address, \n\
had a virus-vulnerable attachement (such as
This mail server no longer accepts mail with virus-vulnerable \n\
attachments and the email has been quarantined.\n\
Please try resending your attachment in a safe format such as ZIP. \n\
Contact support@iocc.com if you have any questions")\
| mail -s "Possible virus deleted" "${HFR}"
| echo "VIRUS From:${HFR} To:${HTO}" >> $VIRUSLOG
}
}