Klez: a closer look

← Back to Stories (view on slashdot.org)

Posted by Hemos on Monday July 8, 2002 @01:57AM from the looking-at-PURE-EVIL dept.

sheriff_p writes "Anyone recieving even a small amount of email is likely to have encountered Klez varients of some form in the last few months - Message Labs shows it as being the biggest email-transmitted virus of all time by some way. So just how boring is it? Virus Bulletin has an indepth look at what makes Klez tick." And today alone, Klez virus e-mails were 90% of my e-mail by bytecount. YAY Outlook!

3 of 196 comments (clear)

Min score:

Reason:

Sort:

Follow the Yellow Klez road. by tcd004 · 2002-07-08 02:04 · Score: 5, Interesting

Klez has been great for my company! We just classify every copy of Klez we receive as "corporate acquistion of capital" and assign it a monetary value. We've got 6.2 billion in Klez inventory baby!

But seriously...127K seems to be the magic number for Klez.
So couldn't a filter simply be set up to block all emails 127k in size?

tcd004
1. Re:Follow the Yellow Klez road. by jandrese · 2002-07-08 02:11 · Score: 4, Interesting
  
  Maybe we should start doing that for all mail trojans? I know I'd be thrilled to discover that man of various random sizes might disappear at my mail filter because it just happens to be the same size as a worm. Seems to me it'd be better just to block the worm directly...oops, many companies already do this.
  
  --
  
  I read the internet for the articles.
2. Re:Follow the Yellow Klez road. by jd142 · 2002-07-08 04:37 · Score: 4, Interesting
  
  Um, that sort of security is just stupid and provides a false sense of security. If you were being sarcastic, I missed it. What happens when klez mutates into a slightly different size?
  
  True story: I was helping a user send out emails to a group of students. Her subject was "Important message about your scholarship." She kept getting messages back that the mail was infected with the Melissa virus. Well, she wasn't sending any attachments, so I thought we had a variant that piggybacked on outgoing mail messages. I searched her machine. I moved her to a different machine and searched it. Same thing. I re-imaged a machine. Same thing.
  
  I also couldn't figure out where it was being caught. The message wasn't coming from our server because the infected message wasn't the same.
  
  I traced it back to the main university's mail servers. So I called them up and told them that their anti-virus software was catching a virus that we couldn't find and could they tell us what they were using. They said they weren't using anti-virus scanning software.
  
  Turns out some bright bulb had written a perl script that flagged every outgoing message with a subject that contained "Important message" as being infected with the Melissa virus.
  
  A half a day wasted trying to track down a non-existant virus. And as soon as the Melissa virus changed its subject line, the script would let it through. What a joke.