Forum Coordinators: RedPhantom
Poser - OFFICIAL F.A.Q (Last Updated: 2024 Nov 27 5:12 pm)
Attached Link: http://www.pc-cillin.com
Yes, Hogwarden is right, it doesn't mean that Sams3d is infected. I got the virus a month or so ago, and since then, my Virus scan NEVER gets turned off. I was getting e-mails from people here on the forum whom I have never contacted before, so who knows? You can also get the fix for free here, in case anyone needs it......and it will do a scan to let you know if you have it or not. Sorry to hear that you got the virus, it is a pain, I had to re-format, but now I am extra careful. GennyJust so you know we have scanned our computers, all of them, we do it regularly every night, and I really mean it, every night, we have not been notified that we have the virus from Symantec or from pc-cillin, I do think you are incorrect. We get scanned from Symantec's site every week, full scan every night and update virus definitions every day, really we don't have it. We take great care when it comes to virus's and spreading them, we don't use Outlook express either, I know that doesn't really matter, but no email enters our site without being scanned and we send out our mail and it is scanned before we send it. So, please don't panic, I just don't think it came from us. Sharen (not a dude)
Guess Message Headers Really are getting good at lieing now then: Message recieved from SAMS3D After Emailing them about it: Return-Path: Delivered-To: webmaster@darkfaction.com Received: (qmail 14620 invoked by uid 508); 11 Jul 2002 22:42:28 -0000 Received: from unknown (HELO mailout5.nyroc.rr.com) (24.92.226.122) by chestnut.phpwebhosting.com with SMTP; 11 Jul 2002 22:42:28 -0000 Received: from Sharen (roc-66-66-101-140.rochester.rr.com [66.66.101.140]) by mailout5.nyroc.rr.com (8.11.6/RoadRunner 1.20) with SMTP id g6BMgML29552 for ; Thu, 11 Jul 2002 18:42:22 -0400 (EDT) MIME-Version: 1.0 Message-Id: 3D2E0965.00000D.01016@Sharen Date: Thu, 11 Jul 2002 18:40:37 -0400 -------------------------------------------------- Now, the Header of the Message containing the Virus: Return-Path: Delivered-To: webmaster@darkfaction.com Received: (qmail 21614 invoked by uid 508); 11 Jul 2002 20:39:59 -0000 Received: from unknown (HELO mailout5.nyroc.rr.com) (24.92.226.169) by chestnut.phpwebhosting.com with SMTP; 11 Jul 2002 20:39:59 -0000 Received: from Sharen (roc-66-66-101-140.rochester.rr.com [66.66.101.140]) by mailout5.nyroc.rr.com (8.11.6/RoadRunner 1.20) with SMTP id g6BLMYL177988 for ; Thu, 11 Jul 2002 13:39:29 -0700 MIME-Version: 1.0 Message-Id: 3D28B965.00000D.01016@Sharen Date: Thu, 11 Jul 2002 17:39:28 -0400
Attached Link: http://www.sarc.com/avcenter/venc/data/w32.klez.h@mm.html
Klez is known for email spoofing. Attached link explains.thats part of the accual message header, i don't know why it says sharen, but that first one is a copy of the message header from the email i had just recieved, the second on is from the email that had the virus. Eather Viruses are getting really good at duping headers, and not just hiding the sender, or you guy's have one your scanners aren't picking up, thats the only thing i can think of.
Golly, this particular virus has been "in the news" for weeks or months. We all know the virus does its dirty work by sending infected emails to people listed in someone's address book. We know this virus does the work on its own without the knowledge or help of the owner of the infected computer. Personally I think it's every computer owner's responsibility to remain informed, and self-protected. That includes knowing that you can't accuse someone of giving you the virus just because the damned virus likes to play tricks. We're smarter than that. I think it's incredibly irresponsible to post a message that accuses someone of spreading such an infection/virus. In this case you've chosen two of the nicest and most generous people I know. Spend some time searching through any forum here at Rendeorsity, and you'll know you're totally wrong on your assumption. Then you can apologize.
Okay, just to make sure again, we downloaded the tool to get rid of all Klez's. We ran it and it came up with nothing, we scanned a full scan, nothing, I don't know what to tell you....let me ask you something though, you said it infected your computer, how did you know that, what did your computer do with this virus? I know that it is suppose to disable Virus protection, mine is still running, what else does it do? Sharen
Whatever ron, i know This virus, yes, i've read about and 1) for the virus to get sent out someone has to have it. 2) you have to be in that persons mailing list. 3) it does not modify the complete header of the email only the 'sender' address. So whatever anyone thinks, whatever anyone says, i was trying to be fucking helpful and prevent others from getting it as well. I don't give a crap if you think its irresponsible, from what im seeing this message came directly from somewhere on there server. Wheather it be there Mail server, or one of there networked machines, it orentated from there. Me apologizing? hell no, i ain't appologizing for squat at this point. Piss on it, Like i said in the begining I was TRYING TO HELP PREVENT ANYONE TO GET IT AND WAS SUPPLYING THEM WITH A TOOL SO THEY COULD MAKE SURE THEY DIDNT. Go bite off whoever's head your really upset with ronknight.
Listen, before we get into a full fledge war, I appreciate anyone notifying me that we might have a virus, they are nasty, and I for one wouldn't want it on my computer, you did notify me Caleb68, I am trying my hardest to find out what is happening, and it is just beyond me, I have tried to fix it, but keep coming up empty, I just want to know a way to find out if I have it. I do not expect an appology from you, I just don't want to panic everyone unless I do have it, and to be honest with you I just can't find proof that I do, if any one can help us out, I surely would appreciate it. Desparetly seeking solution, not war.....Sharen
Sharen, you have two good antivirus programs. You've "done your homework" and verified you're not infected. You don't need to worry any more. I'm very sorry caleb68 chose to respond in such a violent manner. It appears he just needs to take care of business, catch his breath, regain his composure. Personally I'm pissed that someone can continue to dig in deeper once the mistake has been pointed out. But then I get a lot of that crap around here. And I find most of it totally un-necessary, assinine and childish. I either learn to live with it or I'll just say "screw you" to all the idiots. I do still care, and Sharen, you are one of the people who don't deserve this kind of treatment.
My ISP scans for viruses and initiates a trace when they find one. In my case, the virus seems to have originated from Asia and piggybacked on a email from Rosity. They have a name and they are making inquiries. If it's a Klez, it's evolved quite a bit. Stay cool, Q
Un coup de dés jamais n'abolira le
hazard
S Mallarmé
Norton won't run if you have the Klez.H virus if norton gets infected with it. easiest way is to take that tool i supplied at the beginning and run it with /scanfiles, if its there it will detect it even if its laying dorment. No sam, i wasn't upset with you, i was upset with Ron for assuming something that he shouldn't have. I want to know how it got your guy's header when the virus doesn't modify the whole header, the sender wasn't even modified like its sapose to. Its really anoying yes, and being the first virus thats managed to get threw to me in over 3 years, it is something that i am concerned about. Considering its ur guy's full header, and looks to be the same besides one minor ip difference ( 24.92.226.122 vs. 24.92.226.169 meaning both machines are on the same subnet) I can only figure maybe its coming from the mail server.
A virus can pick up someone's email list and use that list to send out more viruses supposedly coming from that person's email. I just got a blank email from Renderosity.com with a virus attached to it. I've also had emails bounce back to me (supposedly one's that I have sent) saying the address can't be found. So what happens is, a virus can stay on various servers, spreading itself, long after the virus has been cleaned off of your computer - if you even had it to begin with. So please don't go jumping to conclusions, I'm sure the more reputable websites and brokers around here have better things to do than scare away their own customers by sending out viruses to them.
Sharen, The part of the header that says: " Received: from Sharen (roc-66-66-101-140.rochester.rr.com [66.66.101.140]) by mailout5.nyroc.rr.com (8.11.6/RoadRunner 1.20) with SMTP id g6BLMYL177988 : You'll see where it says Sharen there. That doesn't have to be the return email address but rather the computer's name, or the user's name on the computer. Basicaly, the computer identifies itself. Now, that header is very difficult to fake. But, the only real pointer would be the ip 66.66.101.140. Then again, I'm not sure, if Klez is able to fake headers that indepth or not. So I ain't saying it's you. Was just replying to where I lost you :) The thing you can do is test your computer's IP. If on a windows machine on Win98 you can go to Run and type in winipcfg. In the box that pops up it will give you the ip. If an NT based, like Win2k or XP go to Run and type in cmd, then when the command line pops up type in ipconfig, hit enter and it'll give you your IP there. Hope that helps some. If on a MAC, sorry I haven't done anything with them in too long to tell you how to navigate it's TCP anymore. Tom
Sharon, it may be on your isp's machine, to duplicate the header completely, though, unless your isp is stupid enough to be running m$ security hole central serverware, it shouldn't be vulnerable. I know that with the email's I have received from you there has never been any virus problems....netscape 7 doesn't seem to like html mail but that is a bug in the browser not a virus. ~g~ My isp (Shaw Cable) is stupid enough to prefer m$ products for their servers. so it is within the rane of possibilities that your isp uses them also. with me always interfacing online though a linux box, no virus gets through the unix security, never mind the av ware.
taken from : http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.gen@mm.html Email spoofing Some variants of this worm use a technique known as "spoofing." If so, the worm randomly selects an address that it finds on an infected computer. It uses this address as the "From" address that it uses when it performs its mass-mailing routine. Numerous cases have been reported in which users of uninfected computers received complaints that they sent an infected message to someone else. For example, Linda Anderson is using a computer that is infected with W32.Klez.E@mm; Linda is not using an antivirus program or does not have current virus definitions. When W32.Klez.gen@mm performs its emailing routine, it finds the email address of Harold Logan. It inserts Harold's email address into the "From" portion of an infected message that it then sends to Janet Bishop. Janet then contacts Harold and complains that he sent her an infected message, but when Harold scans his computer, Norton AntiVirus does not find anything--as would be expected--because his computer is not infected. If you are using a current version of Norton AntiVirus and you have the most recent virus definitions, and a full system scan with Norton AntiVirus set to scan all files does not find anything, you can be confident that your computer is not infected with this worm.
Meant to bold this part. This is where the FROM SHARON is coming from I would bet. For example, Linda Anderson is using a computer that is infected with W32.Klez.E@mm; Linda is not using an antivirus program or does not have current virus definitions. When W32.Klez.gen@mm performs its emailing routine, it finds the email address of Harold Logan. It inserts Harold's email address into the "From" portion of an infected message that it then sends to Janet Bishop. Janet then contacts Harold and complains that he sent her an infected message, but when Harold scans his computer, Norton AntiVirus does not find anything--as would be expected--because his computer is not infected.
Hello, Just my two cents, but... There are new derivatives of existing computer virii popping up on a daily basis. So just because the anti-virus manufacturers, new sites, etc. say that a virus doesn't fake the entire header doesn't mean that someone out there hasn't "improved" upon the original virus. In my opinion, someone out there has your e-mail address and Sharen's e-mail address. The virus originated from that person's PC, faking the header to report that it came from Sharen's PC. I had this happen to me with a different virus. But that's just my opinion. Brian
Not entirely up to date on the virus since I don't get a lot of them.. 4 in the last 8 years or so. But Klex might have been "evolved" to spoof the header too If a new version is out and about. Not entirely hard to do for the right programmer who likes to cause problems. Anythings possible any more.
Right Caleb, The "Received: from Sharen (roc-66-66-101-140.rochester.rr.com [66.66.101.140]) by mailout5.nyroc.rr.com (8.11.6/RoadRunner 1.20) with SMTP id g6BLMYL177988" bit of the header doesn't mean the person's email address but their actual IP etc. It's not the from field, this is part of the mail header that usually only shows up if you ask for it because usally only mail servers have to worry about it. Though I know that QMail is a Linux/Unix app. And that's what this particular mail server was using. So, unless I'm behind on QMail it's not running on a Windows server and the serverhole on NT. Tom
thats feaseable but, they would have to have more then just sharens email address, they would need a header from one of sharens emails, as well as have my email address, to duplicate the full header of origination thats what would be needed. Not to mention 1/2 the header information is added in at the send server, so that would be a really intresting trick if a virus could pull it off, to change the header as it passes threw servers to get to where it needs to go, and at the same time keeping there modified header there as keeping the passthrew route. header spoofing has been going along for years now with email viruses, to try to hide who it came from, but like i said, for them to be able to match two emails to allmost pinpoint accuracy, thats pretty damn difficult, its alot harder then what it sounds.
Stormrage, I read that too, I downloaded the tool to get rid of it, it said we don't have it, Jaqui if my server (ISP) is infected should I contact them? Caleb, I will get to the bottom of this and will contact you, it won't be by email until I know for sure. Okay, gotta go get some more info. Sharen
That's why my ISP's so agressive on this one Tom, I think. They feel it was aimed at them more than me. How a computer in Asia can bounce it off my ISP in Canada is beyond my limited understanding of such things. But I'm glad for the service. The first line of defence worked. Worth the 2 extra $ a month. Q
Un coup de dés jamais n'abolira le
hazard
S Mallarmé
Attached Link: http://www.kasperskylabs.com
Something that I don't like about Norton antivirus is that in some sircumstances it is not able to find a virus, even with deepht scans or you can get false alarms with it. I'm not making free publicity, but the best antivirus software available in the market, from my point of view is the Kaspersky labs one, it has daily updates and it really stops the viruses before they can make any harm. There is nothing more anoying that get a virus from a friend. Ron I guess you should read first carefully the messages before jump and make statements, from my point of view Caleb68 was trying to make a service for this community, he was not trying to hurt Sharon or Mike. I just hope that you guys don't got that nasty bug. If you want further information just follow the Kaspersky labs antivirus link.SAL9000 - Hello Dr. Chandra, Will I've dream?
Folks! I got one from myself to myself! It really can happen. I run Norton on both my desktops and update every friday when the new defs come out. My work system email runs some godawful mil spec spyware and it told me my Yahoo webmail account sent one to my work address. I scanned the entire contents all files and inside zips on both systems and they were clean. If either were actually infected I would be getting a lot of complaints from people in my address books and I'm not. Yahoo is supposed to be running norton and scans all incoming attachments. None of us had it, but there is a webpage I generated that has both addresses. Klez not only scans the outlook mailbox it checks my documents and windows temp includinng webpages you visit. It reads text files and looks for the name@xxx.yyy pattern and trys all it finds as addresses. It will change the from in the message but usually shows the true sender if you show the routing information (press Bla,Bla,Bla button in Eudora). However, the one I got from myself still said the sender was me. This is just another way the virus pisses people off! They really could have not sent it. Lets all just agree to scan all our systems tonight.
Now every body take a deep breath. 1) the KLEZ virus fakes all header info 2) the KLEZ virus takes email info from the address book for both 'to' and 'from' headers. Ergo, someone who you both know has KLEZ 3) KLEZ is an Outlook only virus. Your chances of having it if you do not use Outlook are very, very small 4) KLEZ is old, and easily detected by most virus scanning software Okay? so every body chill out some. Lyrra
Klez is old, klez.h is newer, along with a few other klez.xx versions. anyhow... its cool sams3d.. theres a tool posted... people can take it or leave it, i managed to get rid of it from mine. lyrra - I still still can't see how it can change a full header before a email is sent, considering that the header info is made up along the way. P.S. were did you get your info from? i'ld like to read what your reading considering everyone else i've read is saying partial info, not full. thx in advance
Attached Link: http://www.viruslist.com/eng/index.html?tnews=1001&id=48733
For more infromation about the Klez h virus you can follow the link here:SAL9000 - Hello Dr. Chandra, Will I've dream?
This site uses cookies to deliver the best experience. Our own cookies make user accounts and other features possible. Third-party cookies are used to display relevant ads and to analyze how Renderosity is used. By using our site, you acknowledge that you have read and understood our Terms of Service, including our Cookie Policy and our Privacy Policy.
Attached Link: Klez.H Virus Disinfector
Hi all, sense sams3d is a poser prop site i figured this is the best place to let you all know, if you recieve a email from Sams3d be really careful, the last one that I had recieved from him (recieved today) had the Klez.H virus attached to it and my system had gotten infected. I've wrote Sams3d about this but I thought I should warn all you other people in the meantime till he gets the email. A disinfector for this virus can be found at the attached link, run the file with /scanfiles to insure it checks your whole system for any dorment versions of the virus on your computer.