posted
Until now, ever since I got my new computer 6 months ago I have been free from any virus concerns except once. Once when I had some DSL connectivity issues the DSL tech told me to bypass my router. Since that worked I left it like that & immediately got several virus alerts from Norton. This resulted in me learning about the firewall aspect of my router, so since then alls been good. Until now.
Monday I got about 5 different emails with the klez (w32?? or something)virus attached. Tuesday & Wed. each brought me about 5 more, & 1 so far today.
Every single one says it is from postmaster@bizmail.net & the subject is implying that undeliverable mail is being returned. I remember how this virus can create this ficticious "senders" & subjects, but 16 from the same sender (ficticious or not) makes me feel like I am being targeted maliciously & not randomly.
I am also surprised that Norton, while doing a good job detecting these, failed to repair any of them. All were quarantined but none repaired. My definitions are up to date according to logging onto their site.
Anyway, just curious if others are seeing these from this sender.
Also wondering if this is related to my other topic I just posted about Illustrator going on the fritz this week after behaving perfectly on this computer for over 4 years. If I quarantined all my infected attachments (none of which I opened) & I had Norton spend an hour today scanning the entire computer & reporting a clean bill of health, I'd like to believe all is well, but any comments there?
[ November 28, 2002, 08:28 PM: Message edited by: Doug Allan ]
I just recently went through a similar experience with the Klez virus. Norton quarantines them and did not repair. I just deleted them.
I got the same subject matter of "undeliverable mail". I also got some return addresses of letterhead people. I also got the feeling that I was being "targeted" somewhat due to the proliferation of mail containing the "Klez" virus.
Norton does a good job catching the crap that goes around. I, for one, am glad I got it.
Have a great one!
-------------------- Bruce Bowers
DrCAS Custom Lettering and Design Saint Cloud, Minnesota
"Things work out best for the people who make the best of the way things work out." - Art Linkletter Posts: 6465 | From: Saint Cloud, Minnesota | Registered: Jun 1999
| IP: Logged |
I also have had a few new klez viruses latley I learn to skip the quarantiine and delete the file. after having that Barasil virus I have been very happy to have Nortons Internet Security running at all times online. Now that program will open a few eyes let me tell ya.
What you describes in your last post led me to thing virus like activity.
I am sitting here tonight repairing a computer for a friend that was most likely attacked by a virus and provided a unmountable Boot volume on his windows xp computer.
Now that was fun to fix.......
-------------------- Bob Rochon Creative Signworks Millbury, MA 508-865-7330
"Life is Like an Echo, what you put out, comes back to you." Posts: 5149 | From: Millbury, Mass. U.S. | Registered: Nov 1998
| IP: Logged |
posted
If norton catches them , theres nutin to repair..
-------------------- Leaper of Tall buildings.. If you find my posts divisive or otherwise snarky please ignore them. If you do not know how then PM me about it and I will demonstrate. Posts: 5278 | From: Im a nowhere man | Registered: Jul 2001
| IP: Logged |
posted
that dam klez is what crunched my last system ....i kept getting bounce back mail and i tried 3 or 4 differnt programs and a few that said they had fixes for the klez virus but none worked the only one that could even find it in the bounce back email was nortan 2003 pro. some of the computer geeks around here said they could remove it bit by bit but it takes alot of time and time+$$$$$ and all the other geeks said to have good clean back-ups of your work files and then reformat and then reload nortan and update it and then reload your work files and programes. for me they said to replace the hard drive due to a slug of bad sectors on it
-------------------- Aaron Haynes Aaron's Signs & Windows Napa Ca aa4signs@sbcglobal.net ------------ Important Rule For Life: "Look out for number one... Don't step in number two" ------------ If your never the lead dog on the sled...the scenery never changes. Posts: 241 | From: Napa Ca. USA | Registered: Dec 1998
| IP: Logged |
posted
I've been getting two or three per day through my website email which is web based. Same thing, only it comes from postmaster.hostwizards.com, which is my hosting company. Just as yours, comes as undeliverable mail. Its a nasty one for sure.
-------------------- Maker of fine signs and other creative stuff. Located at 109 N. Cumberland ave. Harlan, Ky. 40831 606-837-0242 Posts: 4172 | From: Ages-Brookside, Ky. Up the Holler... | Registered: Jul 1999
| IP: Logged |
posted
We have received over 40 of the Klez this past month and are running McAfee which caught it as it came in everytime and deleted it, then checked our registries too. The first time it came in, of course, we did not get the update that included it until after it came in and it sent out over 500 bogus e-mails on my account and both aol and our business server closed us down until we hcanged our password. I don't use an address book but any e-mail I had up was used as a source.
-------------------- Kent Smith Smith Sign Studio P.O.Box 2385, Estes Park, CO 80517-2385 kent@smithsignstudio.com Posts: 1025 | From: Estes Park, CO | Registered: Nov 1998
| IP: Logged |
posted
Thanks for the tips. I am still getting about 1 or 2 a day, but I have thrown away all my incoming email from any contacts, & keep no address or contacts on the computer. Although Norton has caught them all & frequent scans turn up no infection, I still don't want anyones email addy's on my drive.
posted
A destructive worm is spreading via e-mail - and its payload has the potential to cause the deletion of files in all folders. W32.HLLW.Winevar is a mass-mailing worm that disables some antivirus and firewall programs and drops and executes the W32.FunLove.4099 virus. Symantec Security Response encourages you to block email attachments that have .pif or .ceo extensions. W32.HLLW.Winevar arrives in an email that contains three attachments. The names are variable but they will have the format: Win<several characters>.Txt (12.6 KB) Music_1.htm Win<several characters>.Gif (120 Bytes) Music_2.ceo Win<several characters>.pif
The .htm file exploits the Microsoft VM ActiveX Component vulnerability to register the .ceo extension as an executable file. The email message is formed to take advantage of the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability, but due to a bug in the code, the attachment will not run automatically. Please note that the .htm will be detected as JS.Exception.Exploit.
Also Known As: W32/Korvar [McAfee], WORM_WINEVAR.A [Trend], I-Worm.Winevar [KAV] Type: Worm Infection Length: 89KB Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me Systems Not Affected: Macintosh, OS/2, Unix, Linux
+++++++++++++++
Antivirus vendors are warning e-mail users to watch out for a fast-spreading and potentially destructive worm, known as WORM_WINEVAR.
According to Trend Micro several cases have already been reported in France and Spain. MessageLabs first spotted the worm on 22 November and has seen around 300 copies in the last 24 hours.
It runs on all Windows platforms and propagates itself using its own Simple Mail Transfer Protocol (SMPT) engine, and sends e-mails to addresses it gathers from HTML files on the infected system.
According to Sophos, infected e-mails are likely to have the following characteristics:
From: (defaults to "AntiVirus") Subject: (defaults to "Trand Microsoft Inc.") Message text: " - " Attached files: - WINXXXX.TXT (12.6 KB) MUSIC_1.HTM - WINXXXX.GIF (120 BYTES) MUSIC_2.CEO - WINXXXX.PIF
The worm sends e-mail using a known exploit that causes the attachment to automatically execute when the message is viewed or previewed on Internet Explorer-based email clients, such as Microsoft Outlook and Outlook Express.
It is capable of terminating certain monitoring programs and antivirus products from memory.
If an infected machine is restarted, WINEVAR displays the message: "Make a fool of oneself: What a foolish thing you've done!"
If the 'OK' button is pressed the worm deletes all deletable files in all folders.
Raimund Genes, president of European operations, Trend Micro, said in a statement: "This illustrates that computer users should not be lulled into a false sense of security by the relative lack of virus activity over the last few months. This time the virus writers have hit back with a particularly destructive worm, against which users can protect themselves -- by deploying an up-to-date anti-virus software and by being vigilant."
Antivirus firms such as Symantec, Kaspersky and Sophos have posted further information and protection. See your antivirus vendor's Web site for more information.
-------------------- Drane Signs Sunshine Coast Nambour, Qld. dranesigns@bigpond.com Downunder "To err is human, but to really foul things up requires a computer" Posts: 965 | From: Nambour, Qld. Australia | Registered: Nov 1998
| IP: Logged |
posted
Just a note: If you are getting bounced mail notices, and you system checks out clean, very likely someone else was infected, the KLEZ virus uses their contact list (with you in it) to send out emails from their system, pretending to be you, so when they bounce, they are returned to you. Do not open any attachments in them!
It's a real pain in the %%%
-------------------- Bob Sheers 24 Hour Services Columbia, MD USA 410-995-3655 bob@go-to-airport.com Posts: 140 | From: Columbia, MD, USA | Registered: Sep 1999
| IP: Logged |
posted
.pif files are program information files,...several dos based and older win95 programs use them, they are not necessrily bad. When you see them as an email attachment tho they can usually considered not good at all,even if you think you know who sent them. they are an executable file thus if you open them as an attachment they can do great damage.
-------------------- fly low...timi/NC is, Tim Barrow Barrow Art Signs Winston-Salem,NC Posts: 2224 | From: Winston-Salem,NC,USA | Registered: Nov 1998
| IP: Logged |
posted
I also got 2 of these messages. SOmeone took my wife's website e-mail and tried that gimmick. Luckily she called me to ask if she should click on the website link...It was after that that I did my virus scan (on a 40GB drive that takes a while!!) and found 5 copies. As per my message on another board, make sure to run the scan on your sytem restore files if you have XP, 'cause that's where 3 were hiding...luckily they hadn't done anything yet (I think).
-------------------- Steve Burke Cascades Inc NS Canada
If at first you don't succeed, skydiving isn't for you Posts: 359 | From: NS Canada | Registered: Jan 2002
| IP: Logged |
posted
iF i HAVE A PARTITIONED DRIVE & i NEVER LAUNCH THE xp PARTITION, BUT IN THE 98 PARTITION i'VE BEEN GETTING THE INFECTED ATTACHMENTS (oops sorry for yelling ) Although I've caught, quarantined & deleted the infected files, I like to run a scan on my drive for re-assurance, which I have, but from W98 if I "scan all drives" with Norton, might I be missing anything? Should I be launching XP & scanning from there? Also is the "system restore files" some place that I have to specify & otherwise not included in my "scan all drives" request?
To be honest, I didn't see where the file was- It's not in my WIndows directory, I know that much...I'll look. I just told Mr. Macafee to scan the whole C drive, and only looked at it once and a while...
-------------------- Steve Burke Cascades Inc NS Canada
If at first you don't succeed, skydiving isn't for you Posts: 359 | From: NS Canada | Registered: Jan 2002
| IP: Logged |
![[Mad]](mad.gif)
Wish these people could channel their energies into something positive.
![[Eek!]](eek.gif)
copies. As per my message on another board, make sure to run the scan on your sytem restore files if you have XP, 'cause that's where 3 were hiding...luckily they hadn't done anything yet (I think).![[Smile]](smile.gif)
)
Printer-friendly view of this topic