I hope the admins don't mind but I posted this originally in Forum News & Contact and I thought I'd crosspost it here too since this highly active forum no doubt contains Renderosity Store customers.

=== CROSSPOST BEGINS ===

Hello, everyone. I was checking my Yahoo e-mail that I use as for contact info and as a "spam magnet". I received a message with the following header:

X-Apparently-To: nuke172@yahoo.com via web20708.mail.yahoo.com; 29 Apr 2002 20:12:37 -0700 (PDT)

X-YahooFilteredBulk: 206.46.170.141

Return-Path: store@verizon.net

Received: from out002pub.verizon.net (EHLO out002.verizon.net) (206.46.170.141) by mta516.mail.yahoo.com with SMTP; 29 Apr 2002 20:12:36 -0700 (PDT)

Received: from Dnclz ([206.133.70.41]) by out002.verizon.net (InterMail vM.5.01.04.05 201-253-122-122-105-20011231) with SMTP id 20020430031113.IHPE4379.out002.verizon.net@Dnclz for ; Mon, 29 Apr 2002 22:11:13 -0500

From: "store" store@renderosity.com.

To: nuke172@yahoo.com

Subject: LIndex1

MIME-Version: 1.0

Content-Type: multipart/alternative; boundary=R749Q0l5Y4S3u1hlEX03H

Message-Id: 20020430031113.IHPE4379.out002.verizon.net@Dnclz

Date: Mon, 29 Apr 2002 22:12:36 -0500

Content-Length: 86182

The interesting thing of note is the "From" line that I bolded. It says it's from store@renderosity.com. The traceroute information points to a block of servers on the Sprint network that appear to be for their dial-up service.

Now just today, I received yet another unsolicited e-mail that also points to the same Sprint machines.

Both e-mails appear to originate from Sprint, both e-mails used verizon.net (forged?) domains in their headers, both e-mails had the same kind of attachments.

In both cases the attachments were infected with the W32.Klez.gen@mm virus!

These attachments are:

file.html <--- an html file with four lines of html code (html, body, head, iframe tags).

1.wav <--- may have different extension but still 0-bytes in length and was the infected file.

file.txt <--- appeared to be an empty text file.

wedding02.jpg <--- filename varied from both messages but was also an image file of some kind

I wouldn't bring this to the attention of staff and community members here if it not for the fact that the spammer used the Renderosity domain.

I've just contacted the admin of the Sprint dial-up network this morning via e-mail.

Sorry! I realize this isn't exactly a timely warning since a few days elapsed between the first and second messages. I thought the first e-mail was no more than a system hiccup. I didn't examine it too closely but held onto the e-mail anyway. It was the second message that I received just recently that confirmed everything.

Note that I'm no computer security expert but it seems obvious to me that something is amiss. I thought I'd give everyone here the heads-up.

=== CROSSPOST ENDS ===

P.S. - The Return-Path line was inadvertently omitted from my original posting but I included it here.

Mike

I had been getting those too but not from rosity. Couldn't figure out what they were since my server at the time disassembled the messages into binary

I've been getting them from everywhere, but got one last night that was from 3XS Marque with the word test in the message. I used to think Norton sucked, but I have to say it has been working overtime this past week. It has caught well over 200 viruses trying to tag me through my email. Sheesh! And weird ones too, like a whole new entity is out there. Marque

I did some research on this virus:

This W32/Klez variant has the ability to spoof the email FROM: field. The senders address used by the virus, may be one that was found on the infected user's system. Thus, it may appear that you have received this virus from one person, when it was actually sent from a different user's system. Viewing the entire email header will display the actual senders address.*
-McAfee Web Site

Also of note:

The risk assessment of this virus according to McAfee is Medium.

The virus may save a copy of itself into .RAR archives.

There is a date-activated payload associated with this threat. On the 6th day of March, May, September, or November, the virus may overwrite local and network files containing the following extensions with zeros: .txt, .htm, .html, .wab, .doc, .xls, .jpg, .cpp, .c, .pas, .mpg, .mpeg, .bak, or .mp3.

If the month is January or July, all files may be overwritten. This behavior was not observed in a lab environment.
**-McAfee Web Site

So, 3 days till virus activation... I'll be sure to look out for anything suspicious on my system on the 6th of May.

Mike

oh heck you mean I might lose everything again if I didn't get rid of that damn virus totally? Rob (worried)

The Norton seems to catch them all, and also scans the ones you send. Marque

>>That message is not forged. Hi, Ron. Well, technically it can be considered a forgery--- it's just not a very comprehensive forgery. Superficially, it makes itself appear to be from Renderosity when it's not from Renderosity at all. The cosmetic "From" line is about as deep as the forgery goes--- nothing has deep as spoofed IPs or anything of that sort... I posted another message regarding this in Forum News & Contact (but neglected to post it here ^_^) saying that my initial impression was wrong--- it isn't some premeditated action by a spammer trying to fly underneath user radar as I had first thought but rather the result of the autonomous function of the virus itself... There's no person, per se, behind the e-mail (not counting the maker of the virus). It's just the virus doing what it was made to do. Mike

Yeah, the Klez.H.worm has been going around lately. I caught it from a damned auto execute spam mail that my virus scanner didn't block, and it fired when I tried to delete it. Took two days to clean my system and satisfy myself I got rid of the traces.

I have my system set up to not allow something to open automatically, it comes up with a dialog box asking permission to open or save like a regular download. I've been hit by a ton of those lately. Just sucks what some people do to folks they don't even know. Marque

There's been an outbreak of Klez recently - the fact that it spoofs the 'from' field makes it a little trickier to trace. It takes triangulation. You and 'renderosity store' both know the infected sender. Which doesn't narrow it down too much in this case. sigh A friend of mine got some bad mail allegedly from me - and I can't be infected with this one since I use Eudora. (not being stupid) So we correctly guessed it had to be some who knew both of us at specific email addresees - so we were able to narrow it down to one very small mailing list to warn. I strongly suggest anyone who uses Outlook or Outlook express to update their Virus data files and scan their systems. (this is Yet Another Outlook Virus) I don't think it can infect other mail programs. And of course Mac and Unix users can happily ignore all of this. Lucky dudes :) Lyrra

What's the best virus protection program to get? I bought McAfee and tried to install it, and it started to destroy my computer. I immediately uninstalled it. It caused my comuter to go into safe mode and would stop until I removed McAfee. That was scary. Is Norton any good? Melanie

Norton seems to be ok, but like McAffee, I've run across people that have had problems with it.

I've received another one of those Klez e-mails... It's interesting to note that the subject lines I've seen it use so far. They're all body part designations like "Lindex" "Left Leg" "Abdomen" not unlike the designations used inside Poser .cr2 files. Mike

F-Prot...it's free for personal use

Just went to the F-Prot site, seems it's $25.00 now for personal use. I don't know what Norton's or Symantec's cost so this may or may not be a deal. It's a very good anti-v