Slashdot Mirror

← Back to Stories (view on slashdot.org)

Klez: a closer look

Posted by Hemos on from the looking-at-PURE-EVIL dept.

sheriff_p writes "Anyone recieving even a small amount of email is likely to have encountered Klez varients of some form in the last few months - Message Labs shows it as being the biggest email-transmitted virus of all time by some way. So just how boring is it? Virus Bulletin has an indepth look at what makes Klez tick." And today alone, Klez virus e-mails were 90% of my e-mail by bytecount. YAY Outlook!

8 of 196 comments (clear)

  1. Follow the Yellow Klez road. by tcd004 · · Score: 5, Interesting

    Klez has been great for my company! We just classify every copy of Klez we receive as "corporate acquistion of capital" and assign it a monetary value. We've got 6.2 billion in Klez inventory baby!

    But seriously...127K seems to be the magic number for Klez.
    So couldn't a filter simply be set up to block all emails 127k in size?

    tcd004

    1. Re:Follow the Yellow Klez road. by jandrese · · Score: 4, Interesting

      Maybe we should start doing that for all mail trojans? I know I'd be thrilled to discover that man of various random sizes might disappear at my mail filter because it just happens to be the same size as a worm. Seems to me it'd be better just to block the worm directly...oops, many companies already do this.

      --

      I read the internet for the articles.
    2. Re:Follow the Yellow Klez road. by jd142 · · Score: 4, Interesting

      Um, that sort of security is just stupid and provides a false sense of security. If you were being sarcastic, I missed it. What happens when klez mutates into a slightly different size?

      True story: I was helping a user send out emails to a group of students. Her subject was "Important message about your scholarship." She kept getting messages back that the mail was infected with the Melissa virus. Well, she wasn't sending any attachments, so I thought we had a variant that piggybacked on outgoing mail messages. I searched her machine. I moved her to a different machine and searched it. Same thing. I re-imaged a machine. Same thing.

      I also couldn't figure out where it was being caught. The message wasn't coming from our server because the infected message wasn't the same.

      I traced it back to the main university's mail servers. So I called them up and told them that their anti-virus software was catching a virus that we couldn't find and could they tell us what they were using. They said they weren't using anti-virus scanning software.

      Turns out some bright bulb had written a perl script that flagged every outgoing message with a subject that contained "Important message" as being infected with the Melissa virus.

      A half a day wasted trying to track down a non-existant virus. And as soon as the Melissa virus changed its subject line, the script would let it through. What a joke.

  2. A question by pubjames · · Score: 3, Interesting

    If I receive emails with the Klez virus attached, that means someone I know is probably infected, doesn't it?

    In which case (since the From: field is not necessarily indicative of who it came from) how can I find out who it came from so that I can tell them that they're infected?

  3. possibly stupid question about Klez's appearance by AdamBa · · Score: 3, Interesting
    Since the detail link up there is /.ed...I keep getting these emails like "your email was rejected by our virus filter" and then there is an email attached, which looks like it came from me, that has Klez in it. Most of these are from people I have never contacted via email that are not in my address book.

    So can I just assume that Klez is just generating these on its own and it's actually the *other* guy who is infected? Because I run Norton AntiVirus with the latest filters...or am I actually infected with Klez and I am really generating all this email that is bouncing at the other end?!?

    Inquiring minds want to know. Thanks.

    - adam

  4. Klez Quick Fix? by N8F8 · · Score: 3, Interesting

    Last month my work PC was infected with Klez. Although Norton apparently can detect the virus it doesn't seem to be able to destroy it. I went to the Nortin site and tried the Klez cleaner and insturctions, but it didn't do any good. Then I noticed that Klez runs under the Guest account. I changed the password on the Guest account tand the problem seemed to go away.

    --
    "God fights on the side with the best artillery." - Napoleon, Marshal of France - speaking truth to power
  5. Procmail rule to catch Klez by FattMattP · · Score: 3, Interesting
    I use this procmail rule to catch Klez viruses:

    :0 B
    * ! ^Received:
    * 9HyTO130D42FAAAAU1bo5RoAAGoAi9joFC4AAIvwi0UIg.YBVm hmB0EAjbgsAQAA6MMaAABQ
    klez

    The lameness filter is putting a space in the string of characters above so be sure to remove it when you put this in your procmailrc file. Also remove the space before the :0 B in the first line.

    --
    Prevent email address forgery. Publish SPF records for y
  6. my slashdot spam account gets wailed on with Klez by Indy1 · · Score: 3, Interesting

    my dedicated slashdot spam account gets roughly 2-5 emails with klez per week. I dont know if some virus writing moron has a address harvester or what, but thats the only way i ever get email viruses. I should clarify, my mail server catches the bugs, squashes em, then mails me the paticular details so my actual email client never gets infected.

    --
    Lawyers, MBA's, RIAA? A jedi fears not these things!