some say the worm gets email addresses from the outlook addressbook,
others say from the icq list and yet others say that the worm just scans
for any string that contains an '@'...

look up your email's [url=http://www.psychotekk.de/extern/W32.ElKern.4926.htm]signature[/url] (the full header), the return-path is the
address the email actually comes from while 'from' contains a fake address

Sounds great, but I looked around and couldn't figure out how to view the full header.

Thanks, Peter

The symantec web site has a full write-up on this virus.

It gets e-amil addresses from address books and any local files on the infected machine.

It does fake the return address, and often uses the address of an uninfected machine as the return address. When people reply to this address to complain about receiving the virus, often this uninfected machine's owner goes batty trying to find the problem, because his/her machine is not infected!

For reference, I've received about four e-mails infected with W32.Klez.H@mm over the last couple of weeks.

Jim

peterinwa,

I don't think you have anything to worry about.

I'm receiving a minimum of 4 to 6 copies of this virus per day.

All of them are addressed to email addresses harvested from my websites.

-Marty

Thanks, that's really what I was wanting to know.

I had read the Symantec website which is why I didn't think I had the virus... none of the symptoms. But the website didn't say anything about e-mails being sent to website e-mail addresses... or I missed it.

Thanks, Peter

Good read on how klez.h fakes sender's email address

The Klez.h variant, which appeared in mid-April, infects PCs whose users open the attachment to an infected e-mail. Confusing matters, the e-mail will have a random "from" address, selected from various sources on the original victim's hard drive. And it pairs this bogus sender's address with one of more than 120 different subject lines.

Sneaky Klez worm won't go away [zdnet.com.com]

Hi,

You can protect yourself some but no one can 100% of the time from these email harverstors by going to [vgernet.net...] and getting some education on the subject.

I did have an email address for an anti spam encrypting machine that I used awhile back...seems to go somewhere else now.

My solution is to change your email address and put a php feedback form on your site where even view source does not show it.

My biggest problems come from forums....these are also harvested. For them I use a temp@ address so I can change it when it becomes too popular. :)

Ann

I get 20 to 30 of these each day and Norton has been taking care of the problem for me too. Yesterday, I got a copy of this virus and it said it was sent by me to me. <bbs> While this is funny, it's not funny when people open an attachement that says it's from me, but it's really not... I went through my address book yesterday and told everyone I know about this nasty feature of changing the "from" box when this virus is spreading and asking everyone I know NOT to open any attachement from me, unless I send them a regular email first, telling them that an attachement is on the way.

It just seems to be doing the address books of NN and IE.

don't worry, my various public email addresses were being hammered by the Klez virus, but it has started to calm down, to a couple a day. I think webmasters are wise-ing up to it.

I got my first this morning - from a very irrate user, who claimed he received this virus from an address (which is an automail address and never used by a human-being!) - I directed him to the information you have provided here! Norton does seem to intercept them okay but they are a hell of a pain!

Here's a new twist on this one. I just received the message below with a copy of the virus as an attachment. I'm sure there are folks out there that will fall for this one.

>>>>

Klez.E is the most common world-wide spreading worm.It's very dangerous by corrupting your files.
Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it.
We developed this free immunity tool to defeat the malicious virus.
You only need to run this tool once,and then Klez will never come into your PC.
NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV monitor maybe cry when you run it.
If so,Ignore the warning,and select 'continue'.
If you have any question,please mail to me.

<<<<

To stop these at the server, load spamwasher and then use the filters for 1) attachments, 2) big files, and 3) iframes. Give these rules high priority.

Some filter rules are listed here:

[webmasterworld.com...]

ahem...he meant MailWasher...

I'm getting these on my AOL account also. Pain in the A$$

About a week ago I started using the email filter provided by my Norton Anti-Virus software. It's always been there, but I never took the time to figure out how it worked. It was pretty easy to set up and it works great with my IE 6.0 Outlook Express. There is a small delay when I send and receive mail, this is because all incoming mail is being scanned for viruses, but the delay is very small and it has stopped all viruses so far from getting into my Outlook Express mail.

If others of you have Norton and have not used this feature, I'd recommend you give it a try and see if it doesn't work for you. I don't use McAfee, but I'm sure they have the same type of feature within their program, too.

Under E-Mail Protection I have the box checked by Microsoft Outlook Express and I have selected "Delete the attachment."

I get all the e-mails, but the virus has been deleted. Is this what you mean? Or is there a way to set it up so that you never even know you received the infected e-mail?

Thanks, Peter

*doing the I-am-so-glad-I-have-MailWasher dance*

Laisha,

Don't get to excited. Yesterday I "previewed" a message from aol.com through mailwasher. NAV poped up and stated that it was infected with the klez virus. Mailwasher froze,I froze and NAV said it deleted/repaired the file. My system started asking for setup disks everytime I went to run a program. NAV probably went overboard :(
But Mailwasher sure will not protect you ;)

I just formated and re-installed W2K.

The protection I'm talking about is within Norton Anti-Virus, not Outlook Express. The Norton program works in conjunction with Outlook Express. The email comes into the anti-virus software first and once it's clean it's then delivered to Outlook Express. I hope this answers your question, peterinwa

That's right Mark. And it works great. I just thought you might have meant that I'd never even see the cleaned-up e-mails. Thanks.

Mailwasher sure will not protect you

dstanovic are you sure it was the MailWasher preview that did that? I've previewed lots of messages that I know are infected on MailWasher and Norton AV never blinked...and I've got my virus definitions updated every day and the heuristics set to the highest level, along with a nightly full system scan.

sounds fishy...

Mailwasher was the only thing open. As soon as I chose preview message NAV popped up. So yes I would definately say that the mail washer preview triggered NAV and the virus. I was going to write the author. NAV does not scan the email before it gets to MailWasher. I do not believe Mailwasher triggered the virus itself. I think the damage to my registry/files were done by NAV going overboard on it's clean-up duties. I will not preview suspect messages in the future:)

My 2-cents

If you do follow up on this, please report back here. It does sound like Norton was being a bit over aggressive in any case...I guess that the tmp file generated by MailWasher's preview triggred some warning bells...anybody else see this?

I've previewed quite a few of the infected e-mails with Mailwasher, and Norton (corporate edition) has never raised a fuss.

> As soon as I chose preview message NAV popped up.

Yes. I've had that happen (XP). Previewing allowed the files to download.

I thought the MailWasher preview was more like a glorified text reader...the newer beta does have some more 'features' to show URLs as links...but it shouldn't be letting stuff in iframes do anything, nor would I assume that anything more than text would be shown. Looking at the text of a virus infected message shouldn't do anything, should it? I'm pretty sure that MailWasher's preview isn't letting anything execute...

How paranoid do we have to be about this?

bill, of course you're right. It's just like looking at the thing in notepad. Nothing can happen - no Iframes or javascript in mailwasher.

Hitting preview the message causes the NAV to kick in its port 110 checker or something, I guess. NAV is the culprit here, not mailwasher.

I guess I should say I don't have NAV or McAfee on my system because mailwasher does the job for me without the overhead of the scare tactic programs I just mentioned that bloat your system and in general, will NOT always work.

i'm glad this thread is here. i use eudora for my email and NAV so hopefully i'm safe.

i'm receiving some 15-20 infected emails per day, not including the bounce messages from servers with virus protection or for non-existant mailboxes. but the worst aspect of it is that whoever is infected is probably a client of mine as the emails being sent use my business email addresses.

when bounced emails come back, they often come with the full header information of the original mail. this shows the ISP used when the email was sent. by comparing this with the headers in emails sent by my clients, i've narrowed it down to any of about 100 clients. hopefully, if i email them all with the norton stuff, whoever has the virus should be able to clear it up and everything will be ok again.

I use MailWasher to preview ALL of my email.
Got about 100 infected messages in the last week and NAV never let out a peep.
Running Win XP, NAV and Outlook 2000.