Slashdot Mirror
Klez: a closer look
sheriff_p writes "Anyone recieving even a small amount of email is likely to have encountered Klez varients of some form in the last few months - Message Labs shows it as being the biggest email-transmitted virus of all time by some way. So just how boring is it? Virus Bulletin has an indepth look at what makes Klez tick." And today alone, Klez virus e-mails were 90% of my e-mail by bytecount. YAY Outlook!
As I have tried to explain to my more gullible user-friends, a little crankiness goes a long way
towards virus protection!
: )
Don't read this!
From what I have seen, I agree with this. Klez has arrived more times in my inbox than all other worms/trojans/etc combined. The other ones I see (saw) most often are MyParty and Hybris (Dwarf4u). What distributions are other people seeing?
Klez has been great for my company! We just classify every copy of Klez we receive as "corporate acquistion of capital" and assign it a monetary value. We've got 6.2 billion in Klez inventory baby!
But seriously...127K seems to be the magic number for Klez.
So couldn't a filter simply be set up to block all emails 127k in size?
tcd004
Can you imagine if Klez infected a Beowulf Cluster?
....made the messages easy to filter:
If Subject contains "klez" move to folder "garbages"!
Error: Success
Encryption doesn't solve anything if the method of opening the address book is the point of failure.
;-)
i.e. the virus doesn't raw-read the address file, it uses the Outlook API to look it up on it's behalf, just like any other program.
Hence, the fact the address book file is now encrypted does not stop the virus using it.
You dig?
I havn't recieved a e-mail virus in about a year.
Boo Hoo
Carrot007.
+----------------- | What is the question!
Perhaps I'm missing something, but how would encrypting the address book help?
It's not like the virus is accessing raw binary data from the address book; more than likely it's using some sort of API call to get the data.
* Q
P.S. If you don't get this note, let me know and I'll write you another.
I should really hope it's sarcasm. If I were the one saying it, it would be with a very sarcastic voice, anyway. Outlook itself should just be considered a virus.
My other sig is an import.
This is really from the looking-at-PURE-EVIL dept. Or maybe they got hit by a virus.
Trollem mirabilem hanc subnotationis exigiutas non caperet
We use outlook and exchange server where I work. Never, ever, seen a virus in the two and a half years I've worked here. Why ? because the admins know what they're doing and catch all the viruses before they ever get anywhere near us delicate users. I'm not an especial fan of MS (I'm a bastion of Java in a sea of MS where I work) but all the sniping at Outlook is just bs. People target outlook and other MS products because it's popular. I mean, why bother writing a virus that targets some system only a couple of geeks ever run ? The key factor is competent admins, properly configuring and defending the systems they're responsible for.
Bad analogies are like waxing a monkey with a rainbow.
And today alone, Klez virus e-mails were 90% of my e-mail by bytecount.
Are you really getting that many hits from Klez? Does anyone else have this problem? I have 4 email accounts that all see a fair amount of activity, and I've only gotten a couple of Klez hits in the last month... I think Hemos must be the target of the an underground Kluz spreading cult or something.
OK maybe this is totally off the wall but I don't really see the point of using an address book anyway. Most of the time you're replying to a mail, or writing to someone whose address you know (come on geeks, who can't remember a handful of e-mail addresses?). And no address book = no klez.
---- scrm
Set up an E-Mail address at your domain, called something like:
ignoreme@example.net
and publish it on your webpage, as an address for UCE only, and ask people not to send correspondence to it.
Then, filter all E-Mail received in your other mail boxes, against all of the mail received by ignoreme, and any that matches, delete.
Well, yes they could do that. I'm sure everyone will feel safe for a couple of months, until the encryption is broken, or a loophole is discovered. Then it will be back to square one.
It would appear that a more long term solution would be to remove scripting! I have yet to see a use of scripting used within an email that could not be done if Microsoft removed scripting from Outlook. The only thing anyone ever uses is the ability to add buttons to the top of the email. You do not need a turing complete scripting language that can open sockets and read the address book to do that.
Then again, baubles and shiny things make managers with budgets happy, I guess.
Syllable : It's an Operating System
...is when even viruses don't send you mail :-(
;-)
Steve
Enjoy Y2K? Roll-on Year 2037!
You mean "gabberrrr"
It would only help if the addresses were encrypted with a one-way hash ;)
Silly question:
Whenever Hemos or CmdrTaco posts about a Windows virus, they always end with "yadda yadda 90% of my e-mail yadda...". How is it that you can run the #1 geek news site and still have e-mail viruses infaltrating your inbox? Is it that much trouble to install MIMEDefang? If you'd like, I'll offer up my services as a consultant to install virus scanning software on your e-mail server, since you two obviously can't figure it out, but I hope that isn't neccesary.
There is no reasonable defense against an idiot with an agenda
:wq
I mean, that the whole going through your contacts/sent items list and mailing them is all very well, but I can write some perl that does that with your Pine folders easily enough.
I posted an article a while ago on this but it was rejected. It's a Wired article entitled "The Great MS Patch Nobody Uses". Granted it is Microsoft's fault this stupid stupid exploit happened in the first place, but it's also interesting to note that the fix for 80% of these problems have been available for over a year virtually unnoticed.
And finally, if you're running procmail then:
* Content-Disposition: attachment
* name=.*\.(com|exe|pif|scr|bat|lnk|shf|vbs)
{
# Stick it somewhere
}
does a pretty good job of filtering out that sort of junk.
Avantslash - View Slashdot cleanly on your mobile phone.
Well, you know the HTML specs, when a browser sees a tag it doesn't recognize, it *should* just ignore them. Obviously, your browser doesn't recognize the tag yet ;-)
--You will rephrase your request for me to go to hell. Goto statements are not acceptable programming constructs
I am an avid Outlook user, I love the ease of use, and all the features. I have received like 2 viruses in my whole time using my computer. Maybe I'm just unpopular, or I just use virus protection with hueristics scanning. Or maybe my Microsoft based Email Server actually does a pretty decent job of blocking all the crap from flowing down the pipe. I agree with another post in that kiddies write virii for Outlook cuz everyone uses it. Hense M$'s Market Share. If everyone used pine, it would be Pine Bashing time. Now Mod me down now because I flamed LInux like you always do.
"On a long enough timeline, the survival rate for everyone drops to zero."
I was just making a simpsons quote. I thought it was a little funny when it first popped into my brain and when i loaded slashdot up in my browser and saw that there were comments yet for this article, I felt compelled to post something.
This comment was generated by a Squadron of Ultra Ninjas
This article is very timely for me. I had never received an email virus until about a week ago. Now I get Klez virtually every day.
Fortunately I look the descision a long time ago not to use Outlook as my email client (I use Eudora). However, Klez is still a nightmare because it can randomly choose an address for the "From:" field from the computer it has infected, which means that if someone you know gets infected, you can get irate emails from people telling you not to send them viruses!
Nightmare.
...that require semi-regular contact with many people. Personally, I am the IT Manager and Corporate Buyer for the company that I work for.
Small company, so I wear a few hats. Anyway, I have a fairly decent sized Address book that contains virtually all of the vendors that I have to deal with, business contacts at both client sites as well as my geek contacts that let me bounce ideas off of them.
Sure, if you are a "house-geek" or a college geek, you probably only have a small number of people to E-mail. (Mostly your 3733t friends and such.) However, once you hit the "real" world you find that your boundless memory actually has a few boundries.
-.-
If you ignore the other uses of a tool, does that make the tool less useful, or you less useful?
If Microsoft would just do good encrypting on the address book, and update it every once and a while for new encryption, stuff like this wouldn't happen because the virii wouldn't be able to get the addresses of every person using Outlook.
Unless every use of the address book required the user to enter a key then this would do nothing especially useful. Since a virus could easily decrypt the data, assuming it even needed to.
At the least, this would slow a virus down.
Only if the encryption was complex enough that decrypting the data too a long period of time...
I am honestly not kidding. Outlook Express is dense and complex, but still: if a few people who were very good at disassembly spent some time going over the various versions, do you think that they could create an Outlook "patch" that would
- Disable scripting in the Outlook html renderer, and remove the option to turn it back on
- Insert a feature that would pop up a dialog box (warning that executable attatchments are unsafe even if from a trusted source) whenever the user attempted to open an attatched executable
Then we just plop this patch in as the sole payload on a new e-mail worm, and let it spread. This would, of course, be a massive project, but just think of the satisfaction value.If Microsoft would just do good encrypting on the address book, and update it every once and a while for new encryption, stuff like this wouldn't happen because the virii wouldn't be able to get the addresses of every person using Outlook. At the least, this would slow a virus down.
Ummm... If anyone updated Outlook and IE within the last year or so this thing wouldn't spread at all. One of the primary vulnerabilities exploited was patched in March of last year, and Outlook itself filters out the worm if it's been updated to sp2 for Outlook2k or the default install for OutlookXP.
My wife and I both use Outlook for all of our email. Neither of us have ever been infected by the virus because we've kept up with updates to Outlook that block you from opening programs (and we know better).
She receives several copies a day of the Klez virus. I've never received it despite having about the same overall email traffic.
I think that the difference lies in who we know. I'm a Computer Engineer and she's a counselor. Thus, the average individual with my email address is a lot more computer savvy than those with her email address.
Psst.. hemos runs a large, popular website. He is "famous".
This means that unlike the rest of us, lots and lots of disparate people all over the world have emailed Hemos in the past.
This means that Hemos is in the Outlook history of lots and lots of people.
This means that Hemos is going to get hit by Klez way more often than most people.
i still find it funny that all the guys who run this site...
use windows on thier desktop.
tisk tisk.
The amount of virusses recieved by a certain user has a strong relation with the amount of friends or enemies that run outlook one has. A true nerd will never give his email adress to anybody who uses MS software, so he will hardly see any viruses, however, some people have a social life wich involves normal people as well (yes, really!), so they are very likely to receive this type of viruses.
Also note that the percentage is much higher when one recieves just one email (spam, most likely) per week because he has no friends at all.
It would appear that a more long term solution would be to remove scripting!
hmm... isn't that what MS did? Outlook2k SR-1 Update
Seems to me that every virus/worm that's managed to find it's way to my email clients on Windows have arrived as empty messages once Outlook2k/XP got done stripping the scripting from them.
1. set up mail filter to punt any attachments to .jpg, .gif, .txt, .zip
2. There is no step two.
"Draco dormiens nunquam titillandus."
Nearly. It doesn't go far enough, IMHO. Active Scripting is still there, but Microsoft have increased the security restrictions, and done some of the more obvious stuff (Like adding warning dialog boxes under certain circumstances, stripping obviously infected attachements etc.)
Scripting is still there, however. How much do you trust that there is not Yet Another Security Loophole in there somewhere?
The fact remains that if there is no scripting at all in Outlook, it will make it impossible for worms to spread themselves via. Outlook.
Syllable : It's an Operating System
How about YAY USER ERROR! I have NEVER gotten a virus in my life, and I have three email accounts all going through outlook. All it takes is a little bit of common sense to avoid them. Hell, I don't even have a virus scan installed.. I check once a month or so using an online scan.
On another note, just push your mail providers to install a virus scanner on ther mailer daemon side... my school recently did this and it seems to be working very well.
Oh no! That Klez article has been attacked by the Slashdot virus!
.
Will code a sig generator for food
May true peace and happiness find you Carrot007.
If I receive emails with the Klez virus attached, that means someone I know is probably infected, doesn't it?
In which case (since the From: field is not necessarily indicative of who it came from) how can I find out who it came from so that I can tell them that they're infected?
that the company that perpetually promises to make everyones computer more secure still ships Outlook Express, probably the most insecure software product ever released, I would have written sold there but I believe they give it away; how unamerican, but then again how could they possibly justify charging for it.
So can I just assume that Klez is just generating these on its own and it's actually the *other* guy who is infected? Because I run Norton AntiVirus with the latest filters...or am I actually infected with Klez and I am really generating all this email that is bouncing at the other end?!?
Inquiring minds want to know. Thanks.
- adam
How are your headaches these days? Still taking the medication? Good.
Look, McFly, I'm not sure if you'll be able to grasp this simple concept, but you see you do not actually have to be running Outlook in order the receieve an email virus like Klez. You see, there are lots of email client for different operating systems, from the better known to the more obscure.
In order to receieve an email virus, all you need is an idiot at the other end to be running Outlook, and who will then allow themselves to become infected.
I very much suspect that you are one of those idiots, judging from your moronic "It hurts to think" post.
DAMN! That's the best suggestion I've seen in a long time.
You could've hired me.
Poor guy, it's likely that it is somebody you know who is infected. (They have your email address), and they are sneding it to someone else they know (They have their email address). So, neither you, nor the person the mail was to are necessarily infected.
Recently I received something that could be a new variany of Klez. The difference is that it does not look at your own computer for contacts. It looks at web-pages. This is how it seems to work:
- Download a random web-page.
- Rip all the addresses.
- Choose a small phrase from the web-page
- Spoof an email from one address to another, using the key-phrase.
- Go to 1.
This seems to be a much better option than using the outlook addressbook, because it is more probable that emails will be read by the corresponding parties. Why? Because they are both mentioned on the same web-page, so they must have some common interest. The subject line can be something related to their interest too... it is not like getting a pr0n email from a priet in Nevada or something B]I miss my rubber keyboard.(Homepage)
Klez is not really such a smart virus, compared to some of the earlier Outlook scripts that would grab a real document off the luser's HD and send it. The thing that makes it a major PITA is the forgery.
The only way to track down a Klez sender is to follow the Received: headers back to the ISP, and ask them to search their RADIUS &/or DHCP logs to figure out which user was at that address at the time the message was sent. Most ISP's that I've contacted would rather not bother, so the infected PCs remain blissfully ignorant.
Alternately, the ISP could require authenticated SMTP, and attach the real user ID to every message in some way. Or install a virus filter on the outbound connection. But once again, they don't want to bother. It's the tragedy of the commons.
Do I really need to say why? heh.
-- Note: If you don't agree with me, don't bother replying. I won't read it.
Erm, one does not have to look at the address book actually.. it could be much simpler to do what I mentioned here:? sid=355 80&cid=3841777
http://developers.slashdot.org/comments.pl
I miss my rubber keyboard.(Homepage)
Klez doesn't read your addressbook, it just snoops the network interface. Far more effective.
Do daemons dream of electric sleep()?
Although Klez does not infect Linux, it does generate large amounts of spam-like e-mail if you're a popular person who has his or her address in thousands of people's address books, e-mail spools, and browser caches.
So you can be totally overwhelmed with spamlike email, even if your email program and/or OS is entirely resistant to infection.
For a while I was getting about 100 copies of Klez a day, which was making reading my e-mail almost impossible with POP over a dialup. Since then I've installed a filter, switched to IMAP and am using DSL and it's a lot better now.
Comment removed based on user account deletion
Comment removed based on user account deletion
I know that Klez forges the "From:" line in the header. There is a "From" (no colon) line at the top of email messages. I believe that this line comes from another source not forged by Klez. Usually, this line appears to be correct. The "From" (no colon) email address tends to agree with the first mail server that relayed the message. Is my understanding correct?
Two or three times, I have tried to warn users that they are infected by sending messages to the "From" (no colon) address. It never has worked. Why not? Every time, I have ended up emailing the administrators of the domain or mail server. (BTW, most places do a terrible job of monitoring email to postmaster.) I always have included the headers so that the administrator could track down the infected user by date and IP address. Each time, the administrator then contacted the user and put a stop to the problem. How come the user never fixes it? Shouldn't my emails have gotten through? Did the users just ignore my warnings or was there something else at work?
infects any mail even eudora, eudora now is worse than outlook
infects throughnetwork sharing and maybe SAP aplications
if you want to get rid og it dont use USA software antivirus, they dont work.
There are some russian antivirus that do work
klez seems to be designed to spy on computers
Comment removed based on user account deletion
Comment removed based on user account deletion
Great, except Klez does not use scripting. Instead it attacks a bug or an overrun in the MIME parser in Outlook.
Anyone who thinks that Unix mailer software couldn't be vulnerable to bugs like this is sniffing glue.
Furthermore, scripting can be handled safely within a corporate environment -- see Lotus Notes.
I have a theory 1. I get about one or two a day to my home email address. I know nobody that uses outlook/outlook express. 2. I am subscribed to several Linux mailing lists (tag,RH, gnome etc) 3. I have had a few with spoofed addresses like webmaster@gnome.org and various other linux notables that post to these lists) So there must be quite a few work only subscribers that use outlook to peruse these lists. Bloody outlook - even gets you if you stick to linux sites
1. Connect to a mail list archive
2. etc.......
Mailing lists are better, because the sender is ofter waiting for a reply.
thank God the internet isn't a human right.
In my experience the Reply To: header identifies the true (infected) sender.
It really is what's called the "envelope sender". In the SMTP protocol, you have to specify who the message is from, and what addresses to deliver to. These don't necessarily have any relation to the From: and To: headers in the message itself.
I have noticed the same thing you have, I believe that the envelope sender is the correct person to contact.
Its the other guy. Mostly, the virus will not forge the return-path header, but some variants do that too. As mentioned elsewhere, the only solution is to contact the ISP concerned.
You will be clean.
Just another postmaster.
I can throw myself at the ground, and miss.
My sig says it all.
End of lesson. You may press the button.
Last month my work PC was infected with Klez. Although Norton apparently can detect the virus it doesn't seem to be able to destroy it. I went to the Nortin site and tried the Klez cleaner and insturctions, but it didn't do any good. Then I noticed that Klez runs under the Guest account. I changed the password on the Guest account tand the problem seemed to go away.
"God fights on the side with the best artillery." - Napoleon, Marshal of France - speaking truth to power
... since I got an email from you back on April 25 due to Klez. For shame. (Oh, I suppose it could have been someone else that had you in their address book. Klez does that I'm told).
:-)
I would paste the Pine message header here for everyone's amusement, but the lameness filter keeps getting in my way...
I remember thinking to myself, "Why would Hemos from slashdot email me? I only submitted one story a long time ago..." then I realized that Klez was going around, and chuckled a bit. I never did look at the attachments.
Yep this is quite common. And a lot of the time the stupid virus scan reports don't include the headers. Absolutely useless...
Virus bulletin seems to be /.ed, anyone got a mirror?
The virus I've had the hardest time getting rid of:
[ ] Nimda
[ ] Klez
[ ] ILoveYou
[ ] Sircam
[ ] Hybris
[ ] Whatever CowboyNeal has
Give me my freedom, and I'll take care of my own security, thank you.
* ! ^Received:
* 9HyTO130D42FAAAAU1bo5RoAAGoAi9joFC4AAIvwi0UIg.YBV
klez
The lameness filter is putting a space in the string of characters above so be sure to remove it when you put this in your procmailrc file. Also remove the space before the :0 B in the first line.
Prevent email address forgery. Publish SPF records for y
Well, the anti-virus companies won't tell you how to block Klez (except by buying their products) but I funnel all my mail through a custom filter and this is the algorithm I use to get rid of Klez-like messages, once and for all:
If message contains multipart/alternative entity, /etc/mime.types,
and entity has a part with a filename,
and the filename's extension doesn't match the entry in
then drop the message.
You could also, I think, send a "you're an idiot" bounce message to the envelope MAIL FROM: address (not the header From:, it's wrong). That one usually looks correct. Not sure though, probably best to just drop them.
There are other clues in the message, such as IFRAME code, etc., but this seems foolproof, and I can't imagine any normal email program generating multipart/alternative sub-parts with a filename.
Eudora, for instance, by default these days uses the Internet Explorer HTML rendering (even though it includes its own) including ActiveX and MIME vulnerabilities.
my dedicated slashdot spam account gets roughly 2-5 emails with klez per week. I dont know if some virus writing moron has a address harvester or what, but thats the only way i ever get email viruses. I should clarify, my mail server catches the bugs, squashes em, then mails me the paticular details so my actual email client never gets infected.
Lawyers, MBA's, RIAA? A jedi fears not these things!
I was in charge of running an email mailing list for a university organization this past year. We had an outbreak of Klez among university students and my email address got hammered. I was getting about 10 a day. I guess that's expected since a large percentage of the students are using Outlook (probably unpatched because they don't know any different) connected to our high-speed university network. Your average college student also seems to be click-happy with attachments - "Oh cool, Joey sent me a cool new game to play!" I think this happens especially to freshmen that are used to their parent's slow dial-up accounts. All of a sudden they start downloading and opening everything they get just because they can do it "so fast now." Traffic has slowed down during summer school sessions, but I'm still getting a few a day sometimes.
:(
The sys admins did get some anti-virus software installed on the mail server. Now I get "VIRUS IN MAIL FOR YOU" messages all the time from the postmaster with a body message saying to contact the sender. We know the listed sender probably isn't the culprit. I'd rather the system just drop the message. I'm getting more of those than I am sex/get rich quick spam messages. I just set up a filter, but since I'm considered the "computer expert" around, everyone keeps calling and email me asking why they're getting the messages. If you're a sys admin on a mail server, please consider this when your setting up scans and filters.
Yaha has started to take over as king of the hill though... Some versions of it are getting through the university virus scan...
David
Hey, I resent that.
I don't have any friends, but I get tons of spam.
Create a fucking Mail server rule to block all attachments that are executable. Since we have created this rule on our mail server, we have not seen a single virus since the rule was put online over 1 year ago.
Eudora.
In the height of the Klez infections (about 2 1/2 months ago), I got 76 emails infected with Klez in one morning.
The trick with Klez is that it spoofs the "from" header, and chooses an address at random from the infected computer's address book and its web cache.
I got tons of infected emails from people who had only surfed into a page containing one of my email addresses. Since I have 25 or design clients, this can add up to quite a few "webmaster@" email addresses. While my busiest site gets about 700 unique visitors daily, overall, my email accounts are exposed to ca. 4500 uniques daily.
That's a lot of novice users who think that getting an email that has the subject:
"A Excite Game"
and a body message that runs something like:
This is a excite game I made. It is my first try at a game. I hope you like it!
is a legit email. I have personally gotten this one over and over again, with the adjective randomized (a FUNNY game, a NEW game, etc.).
I can't believe that people open it, but they do. And they get infected, and then I get mails from them, spoofed to appear to be coming someone in their address book, or their browser cache.
Which makes it a drag, because you can't easily track down the offending individual.
The reason I think this virus is so prevalent (aside from the fact that most users are so gullible) is simply because you can't email the infected party and say "hey, you are infected with Klez", but with other viruses, such as SirCam and what not, you could, therefore stopping the virus infection, eventually.
::.. check out some Cell Phone Reviews
I get enough KLEZ virus infected emails every 24 hours to shut my email account down at my ISP if I don't clean out my mailbox every 24 hours. About 20% of them say they are from me, which is not possible as I do not use OutLook, nor do I even have it isntalled on my system.
Boobies never hurt anyone. - Sherry Glaser.
mailto:Carrot007@thewort.co.uk
It's like this:
mailto:Carrot007@thewibblereport.co.uk
That will even help him get spam, too. I'm so nice.
Use his real address. He'll see his spam right away that way!
mailto:kyle@institute.co.uk
You can even give him a call at:
+07989-401-307
you would think that Hemos would be smart enough to not put his email address on the goatse.cx site.
hrm.
Clever.
- adam
We use Lotus at my company. But I still get about a dozen emails a day from Klez. But I never got any virus originating from a Linux machine...
At the repair shop I work at, about one third of the systems I got were klez victims, all the same variant.
.exe files by failing to detect a preinfected fileand trashing the backup exe.
Oddly enough, the article doesn't mention this variant, which breaks
It scares me that there must be thousands of infected computers with less damaging varients right in my home town. =/
-Zaphod
I agree with this post! Most sites out there that are new and improved are over sized flash pages with almost no content. As a long time slashdot.org reader I took the same approach to a raver site (don't laugh) for south florida. :-)
pEace
--The RF Team
Pardon the shameless promotion
As a web developer though, even an amature you have to aim for what the consumer has. By my stats 89% are IE4.0+. What else can you do.. Not everyone is as l33t as slashdot..
There are two main reasons Klez has Florished: 1) good old Outlook 2) Idiot Operaterators ...Nuff said
I know this is off topic but your .sig is really bugging me. how do I decode it? I've tried all rotations from 1-25 none worked.
Ahh it's buggn' me I don't know how to decode it!!!
Xorw rw guz tg apketmped dfkkade !
AHHHHH. LOL.
> SELECT * FROM brain_cells WHERE synaptic_rate > 0
0 row returned
I have 6 addresses, one of which is listed on a website as support address. That's the only one where I receive those blasted worms on, but to such an extent that spam and normal mail pale in comparison.
In byte count, Klez reaches way more than 90% for me, all addresses added.
Yes, really. My mailbox is constantly full of the damn things (well, that, and SPAM from Korea). I have a number of readers of my small fanfiction page, and I think they all use Windows/Outlook Express, so there you go. They are not computer geeks; they know how to use a computer to read and send e-mail, to browse the web, and to write stuff/design websites in some cases, but, like most Windows users, their computers are tools to get a job done, not a way of life.
I, on the other hand, am a programmer who uses Linux at home; I didn't get infected by those damn Klez viruses, nor do I even download them--I limit fetchmail on the size of attachment and inspect the oversized mails thru my ISP's web interface every few days. Almost everytime, they are Klez viruses, though I'm also seeing some Goldfish thingy, starting recently.
I'm really, really sick of this crap filling up my mailbox. It's viral spam: an unspeakable hybrid of two of the worst internet evils.
---dragoness