Email virus going around?!?

Jim Smith · Post by **Jim Smith** » 23 Apr 2002 5:44 am

For the last few days, I've been getting empty emails from various Forum members with subjects such as "Specialty Web Network", "Hi,sos!", "A powful tool", etc. I've also received emails from members saying that I have sent similar empty emails.

Complete virus scans on my computer and at least one other member's computer show no viruses, and my Sent folder doesn't show that I have sent any of these emails.

Is anyone else having this problem or has anyone heard of this virus and what we can do to stop it?

Mark Ardito · Post by **Mark Ardito** » 23 Apr 2002 6:21 am

Jim,

This is the W32.klez.h@MM virus. I just spent 2 days at a company removing this virus from 30 machines. It is a real bear if the payload is executed. The most common side effect of this virus is it renames your .exe program files. For example at this company I went to, it renamed the .exe files for Norton Anti-Virus to a random named file, and also renamed their QuickBooks.exe file to a random name.

If the virus is on your machine, more than likely you will not be able to open your virus scan, but that is not always the case.

First and foremost...Download the latest virus definition file for your virus scanner. If you don't know how to do this please email me off the forum and I can walk you through it.

Then do a scan and it should pick the virus. If you can't open your virus scan application, please view the following link for instructions on how to manually remove this virus.
http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.h@mm.html

WARNING* The manual removal of this virus is a little tricky and I would only recommend it if you are comfortable with the Operating System and have edited the Registry before.

If anyone is having problems with this virus you can contact me via email and I will set something up to help you out, be it a phone call or a email.

Thanks,
Mark

Jim Smith · Post by **Jim Smith** » 23 Apr 2002 7:25 am

Thanks Mark.

Luckily my virus definitions are up to date and the full system scan I performed this morning shows nothing. I don't have any of the registry values or renamed files that your link describes either.

Hopefully this will be a wakeup call to all Forum members to update their virus definitions and run a full system scan. At a minimum, they should run the detection tool provided at your link.

Jim Smith · Post by **Jim Smith** » 23 Apr 2002 7:46 am

Update: I just received an email from a Forum member with the subject "A humour game" containing the virus itself as an attachment. Norton caught it and I have sent an email referring him to this thread.

Joe Delaronde · Post by **Joe Delaronde** » 23 Apr 2002 1:02 pm

Mark
My virus detector, Norton, got it, but could only quaranteen it. Can I safely delete it from the quaranteen file????
Thanks
Joe

Jim Smith · Post by **Jim Smith** » 23 Apr 2002 1:06 pm

I say yes, delete them. Now that I've posted about this virus, it seems that I'm getting more of them, I'd guess 5 or 6 today alone!

[This message was edited by Jim Smith on 23 April 2002 at 02:11 PM.]

Gene Jones · Post by **Gene Jones** » 23 Apr 2002 3:35 pm

*[This message was edited by Gene Jones on 01 May 2002 at 04:28 PM.]

Jim Smith · Post by **Jim Smith** » 23 Apr 2002 5:07 pm

Once deleted, it's no longer on your computer so it can't do any harm. The only reason I can see to quarantine the virus would be so you could send it to Norton for analysis. Since their software detected it in the first place, I see no need for that.

Mark Ardito · Post by **Mark Ardito** » 23 Apr 2002 5:49 pm

Joe,

Yes, go ahead and delete them that are in your quarentine.

I recommend running all of your applications and see if all the .exe files run ok.

If any of you guys are having issues with any application, give me a email and I can walk you through it.

Mark

Mark Ardito · Post by **Mark Ardito** » 23 Apr 2002 5:50 pm

I also recommend if you are using Outlook or Outlook Express as your email client to turn off the preview option and also turn off, 'Launch attachments in the preview window'.

If you don't know how to do this, let me know.

Mark

Bobby Boggs · Post by **Bobby Boggs** » 24 Apr 2002 4:23 pm

I've received about ten in the last 2 hours.

[This message was edited by Bobby Boggs on 24 April 2002 at 05:24 PM.]

Bobby Boggs · Post by **Bobby Boggs** » 24 Apr 2002 4:30 pm

Another thing.These E-mails take forever to down load yet are always empty.Whazup with that?

Joe Delaronde · Post by **Joe Delaronde** » 24 Apr 2002 9:45 pm

Mark
Your email don't work.
Joe

erik · Post by **erik** » 25 Apr 2002 2:09 am

My Outlook Express doesn't allow me to deselect the preview pane. Anyone know why this is? I really thought at one time i could. I have reistalled my O.S. many times. Is it possible this option did not load during the last install?

Mark Ardito · Post by **Mark Ardito** » 25 Apr 2002 8:26 am

Hey guys,

Sorry, when @home went under I got a new email address and forgot to change my profile on the forum.

Send all emails to markardito@attbi.com

Thanks!

Mark

Mark Ardito · Post by **Mark Ardito** » 25 Apr 2002 8:30 am

Erik,

In Outlook Express, go to the 'View' menu and then scroll down to 'Layout'.

Then select 'Layout' and take the check mark out of "Show Preview Pane".

Click 'Apply' and then 'OK'.

Done!

Mark

erik · Post by **erik** » 25 Apr 2002 1:56 pm

Mark, what i'm saying is, when i go to layout the area for the preview pane is shaded, not active. I can neither check or uncheck.

Wayne Brown · Post by **Wayne Brown** » 25 Apr 2002 3:00 pm

TO LATE i got hit and hard....anybody from the forum i now have a different email for me as i went down hard ...still repairing...if anybody got a virus from me ...i'm sorry ....joe...keep the addy you got that is my private one now i'm updated and fixed but still installing

thanks
wayne brown
c/o out west pac-seats[This message was edited by Wayne Brown on 25 April 2002 at 04:01 PM.]

Wayne Brown · Post by **Wayne Brown** » 25 Apr 2002 6:46 pm

all fixed

Jim Smith · Post by **Jim Smith** » 26 Apr 2002 8:53 am

I got this in my work email today:

Klez worm rating upgraded as spread continues

The W32.Klez worm and its variants are still loose in the wild more than a week after the latest variant was discovered, moving antivirus software vendor Symantec Corp. to upgrade it to a "level 4 virus threat" on its danger scale of five.
http://computerworld.com/nlt/1%2C3590%2CNAV47_STO70574_NLTAM%2C00.html [This message was edited by Jim Smith on 26 April 2002 at 09:55 AM.]

Janice Brooks · Post by **Janice Brooks** » 26 Apr 2002 4:25 pm

Message received through Joey Ace with subject Languages

Return-Path: <joeyace@verizon.net>
Received: from rly-xd05.mx.aol.com (rly-xd05.mail.aol.com [172.20.105.170]) by air-xd03.mail.aol.com (v84.16) with ESMTP id MAILINXD34-0426124108; Fri, 26 Apr 2002 12:41:08 -0400
Received: from out016.verizon.net (out016pub.verizon.net [206.46.170.92]) by rly-xd05.mx.aol.com (v84.10) with ESMTP id MAILRELAYINXD57-0426124037; Fri, 26 Apr 2002 12:40:37 -0400
Received: from Vsosofue ([24.55.174.97]) by out016.verizon.net
(InterMail vM.5.01.04.05 201-253-122-122-105-20011231) with SMTP
id <20020426164023.IYXZ8115.out016.verizon.net@Vsosofue>
for <busgal58jb@aol.com>; Fri, 26 Apr 2002 11:40:23 -0500
From: joeyace <joeyace@sympatico.ca>
To: busgal58jb@aol.com
Subject: Language
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=Zi0B1iyX9O1u
Message-Id: <20020426164023.IYXZ8115.out016.verizon.net@Vsosofue>
Date: Fri, 26 Apr 2002 11:40:32 -0500

------------------
Janice "Busgal" Brooks
ICQ 44729047

Joey Ace · Post by **Joey Ace** » 26 Apr 2002 4:42 pm

My computer did not send you that message, Janice. I suspect my email address was "spoofed".
That means someone else had my name and email address in their Addr Book. They got infected and it sent emails out with my name.

There's a free removal tool for this virus at Symantec http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.removal.tool.html

I keep protected with Norton AV and DO NOT open attachments.

Just to be sure, I downloaded and ran the tool in the above link. After about 30 min of examining my system it reported I had no infected files. Per their instructions, I ran it again. Still OK.

I suggest you do the same.

I regularly get attachments from suspicious addresses.

The best advice is
Do Not Open Any Attachments.

Hope you're OK.

-j0ey-[This message was edited by Joey Ace on 26 April 2002 at 05:47 PM.]

Colin Goss · Post by **Colin Goss** » 26 Apr 2002 11:37 pm

I recommend that you consider using Zonealarm, a free firewall program that automatically renames all attachments before giving you the option of whether to run them or not. This prevents the nasties getting through.

Then use AVG virus checker from Grisoft - also free,

Finally use Mailwasher (mailwasher.net) also free to get rid of spam.

Joey Ace · Post by **Joey Ace** » 27 Apr 2002 3:11 am

What's the advantage of renaming attachments, Colin?

Isn't a bug by any other name still a bug?

Kenny Forbess · Post by **Kenny Forbess** » 27 Apr 2002 7:45 am

I recieved an e-mail this morning from an unidentified source,"a very Humorous Game", with an attachment.
I ran Norton,and no virus was found.

I did not recognize the addressee.
I deleted the e-mail immediately.
could this have been one of the ones everyone is getting ?
kf