Slashdot Mirror

← Back to Stories (view on slashdot.org)

Klez: a closer look

Posted by Hemos on from the looking-at-PURE-EVIL dept.

sheriff_p writes "Anyone recieving even a small amount of email is likely to have encountered Klez varients of some form in the last few months - Message Labs shows it as being the biggest email-transmitted virus of all time by some way. So just how boring is it? Virus Bulletin has an indepth look at what makes Klez tick." And today alone, Klez virus e-mails were 90% of my e-mail by bytecount. YAY Outlook!

12 of 196 comments (clear)

  1. Follow the Yellow Klez road. by tcd004 · · Score: 5, Interesting

    Klez has been great for my company! We just classify every copy of Klez we receive as "corporate acquistion of capital" and assign it a monetary value. We've got 6.2 billion in Klez inventory baby!

    But seriously...127K seems to be the magic number for Klez.
    So couldn't a filter simply be set up to block all emails 127k in size?

    tcd004

    1. Re:Follow the Yellow Klez road. by jandrese · · Score: 4, Interesting

      Maybe we should start doing that for all mail trojans? I know I'd be thrilled to discover that man of various random sizes might disappear at my mail filter because it just happens to be the same size as a worm. Seems to me it'd be better just to block the worm directly...oops, many companies already do this.

      --

      I read the internet for the articles.
    2. Re:Follow the Yellow Klez road. by jd142 · · Score: 4, Interesting

      Um, that sort of security is just stupid and provides a false sense of security. If you were being sarcastic, I missed it. What happens when klez mutates into a slightly different size?

      True story: I was helping a user send out emails to a group of students. Her subject was "Important message about your scholarship." She kept getting messages back that the mail was infected with the Melissa virus. Well, she wasn't sending any attachments, so I thought we had a variant that piggybacked on outgoing mail messages. I searched her machine. I moved her to a different machine and searched it. Same thing. I re-imaged a machine. Same thing.

      I also couldn't figure out where it was being caught. The message wasn't coming from our server because the infected message wasn't the same.

      I traced it back to the main university's mail servers. So I called them up and told them that their anti-virus software was catching a virus that we couldn't find and could they tell us what they were using. They said they weren't using anti-virus scanning software.

      Turns out some bright bulb had written a perl script that flagged every outgoing message with a subject that contained "Important message" as being infected with the Melissa virus.

      A half a day wasted trying to track down a non-existant virus. And as soon as the Melissa virus changed its subject line, the script would let it through. What a joke.

  2. No Problems Here by WellHungYungWun · · Score: 2, Interesting

    I am an avid Outlook user, I love the ease of use, and all the features. I have received like 2 viruses in my whole time using my computer. Maybe I'm just unpopular, or I just use virus protection with hueristics scanning. Or maybe my Microsoft based Email Server actually does a pretty decent job of blocking all the crap from flowing down the pipe. I agree with another post in that kiddies write virii for Outlook cuz everyone uses it. Hense M$'s Market Share. If everyone used pine, it would be Pine Bashing time. Now Mod me down now because I flamed LInux like you always do.

    --
    "On a long enough timeline, the survival rate for everyone drops to zero."
  3. A question by pubjames · · Score: 3, Interesting

    If I receive emails with the Klez virus attached, that means someone I know is probably infected, doesn't it?

    In which case (since the From: field is not necessarily indicative of who it came from) how can I find out who it came from so that I can tell them that they're infected?

  4. possibly stupid question about Klez's appearance by AdamBa · · Score: 3, Interesting
    Since the detail link up there is /.ed...I keep getting these emails like "your email was rejected by our virus filter" and then there is an email attached, which looks like it came from me, that has Klez in it. Most of these are from people I have never contacted via email that are not in my address book.

    So can I just assume that Klez is just generating these on its own and it's actually the *other* guy who is infected? Because I run Norton AntiVirus with the latest filters...or am I actually infected with Klez and I am really generating all this email that is bouncing at the other end?!?

    Inquiring minds want to know. Thanks.

    - adam

  5. Klez Variant? by olethrosdc · · Score: 2, Interesting

    Recently I received something that could be a new variany of Klez. The difference is that it does not look at your own computer for contacts. It looks at web-pages. This is how it seems to work:

    1. Download a random web-page.
    2. Rip all the addresses.
    3. Choose a small phrase from the web-page
    4. Spoof an email from one address to another, using the key-phrase.
    5. Go to 1.
    This seems to be a much better option than using the outlook addressbook, because it is more probable that emails will be read by the corresponding parties. Why? Because they are both mentioned on the same web-page, so they must have some common interest. The subject line can be something related to their interest too... it is not like getting a pr0n email from a priet in Nevada or something B]
    --

    I miss my rubber keyboard.(Homepage)

  6. Forged sender by yet+another+coward · · Score: 2, Interesting

    I know that Klez forges the "From:" line in the header. There is a "From" (no colon) line at the top of email messages. I believe that this line comes from another source not forged by Klez. Usually, this line appears to be correct. The "From" (no colon) email address tends to agree with the first mail server that relayed the message. Is my understanding correct?

    Two or three times, I have tried to warn users that they are infected by sending messages to the "From" (no colon) address. It never has worked. Why not? Every time, I have ended up emailing the administrators of the domain or mail server. (BTW, most places do a terrible job of monitoring email to postmaster.) I always have included the headers so that the administrator could track down the infected user by date and IP address. Each time, the administrator then contacted the user and put a stop to the problem. How come the user never fixes it? Shouldn't my emails have gotten through? Did the users just ignore my warnings or was there something else at work?

  7. Re:Good way to filter UCE by JimDabell · · Score: 2, Interesting

    example.net is guaranteed not to exist - that's why he used that domain in his example. And yes, I know you were joking, but a lot of people don't know this.

  8. Klez Quick Fix? by N8F8 · · Score: 3, Interesting

    Last month my work PC was infected with Klez. Although Norton apparently can detect the virus it doesn't seem to be able to destroy it. I went to the Nortin site and tried the Klez cleaner and insturctions, but it didn't do any good. Then I noticed that Klez runs under the Guest account. I changed the password on the Guest account tand the problem seemed to go away.

    --
    "God fights on the side with the best artillery." - Napoleon, Marshal of France - speaking truth to power
  9. Procmail rule to catch Klez by FattMattP · · Score: 3, Interesting
    I use this procmail rule to catch Klez viruses:

    :0 B
    * ! ^Received:
    * 9HyTO130D42FAAAAU1bo5RoAAGoAi9joFC4AAIvwi0UIg.YBVm hmB0EAjbgsAQAA6MMaAABQ
    klez

    The lameness filter is putting a space in the string of characters above so be sure to remove it when you put this in your procmailrc file. Also remove the space before the :0 B in the first line.

    --
    Prevent email address forgery. Publish SPF records for y
  10. my slashdot spam account gets wailed on with Klez by Indy1 · · Score: 3, Interesting

    my dedicated slashdot spam account gets roughly 2-5 emails with klez per week. I dont know if some virus writing moron has a address harvester or what, but thats the only way i ever get email viruses. I should clarify, my mail server catches the bugs, squashes em, then mails me the paticular details so my actual email client never gets infected.

    --
    Lawyers, MBA's, RIAA? A jedi fears not these things!