Attached Link: Klez.H Virus Disinfector

Hey there! This virus probably was NOT from Sams3D. It may have picked a random name FROM YOUR ADDRESS BOOK for the sender, to hide the real source of the infection. H:)

Attached Link: http://www.pc-cillin.com

sharens a dude?

nope opened it as it was recieved. it originated from SAMS3D. not the email addie in the sender header, the origin.

oh btw, sam3d isn't in my address book either.

Just so you know we have scanned our computers, all of them, we do it regularly every night, and I really mean it, every night, we have not been notified that we have the virus from Symantec or from pc-cillin, I do think you are incorrect. We get scanned from Symantec's site every week, full scan every night and update virus definitions every day, really we don't have it. We take great care when it comes to virus's and spreading them, we don't use Outlook express either, I know that doesn't really matter, but no email enters our site without being scanned and we send out our mail and it is scanned before we send it. So, please don't panic, I just don't think it came from us. Sharen (not a dude)

ok... whatever.

Guess Message Headers Really are getting good at lieing now then: Message recieved from SAMS3D After Emailing them about it: Return-Path: Delivered-To: webmaster@darkfaction.com Received: (qmail 14620 invoked by uid 508); 11 Jul 2002 22:42:28 -0000 Received: from unknown (HELO mailout5.nyroc.rr.com) (24.92.226.122) by chestnut.phpwebhosting.com with SMTP; 11 Jul 2002 22:42:28 -0000 Received: from Sharen (roc-66-66-101-140.rochester.rr.com [66.66.101.140]) by mailout5.nyroc.rr.com (8.11.6/RoadRunner 1.20) with SMTP id g6BMgML29552 for ; Thu, 11 Jul 2002 18:42:22 -0400 (EDT) MIME-Version: 1.0 Message-Id: 3D2E0965.00000D.01016@Sharen Date: Thu, 11 Jul 2002 18:40:37 -0400 -------------------------------------------------- Now, the Header of the Message containing the Virus: Return-Path: Delivered-To: webmaster@darkfaction.com Received: (qmail 21614 invoked by uid 508); 11 Jul 2002 20:39:59 -0000 Received: from unknown (HELO mailout5.nyroc.rr.com) (24.92.226.169) by chestnut.phpwebhosting.com with SMTP; 11 Jul 2002 20:39:59 -0000 Received: from Sharen (roc-66-66-101-140.rochester.rr.com [66.66.101.140]) by mailout5.nyroc.rr.com (8.11.6/RoadRunner 1.20) with SMTP id g6BLMYL177988 for ; Thu, 11 Jul 2002 13:39:29 -0700 MIME-Version: 1.0 Message-Id: 3D28B965.00000D.01016@Sharen Date: Thu, 11 Jul 2002 17:39:28 -0400

it cut out the return paths on both when posting, return paths on both were SC@SAMS3D.COM

Why does it say Received from Sharen, mine is suppose to say SAMS3D? Sharen PS: look I am not telling you that you did not get this virus, I am just saying it wasnt' from us. I don't know how to convince you. And I am sorry you were infected.

I got one this week but not from SAM's 3d. It seems someone is having a bit of fun, piggybacking viruses on people's addies here. My ISP has a trace on it. I plan to press charges ifwhen we get the bastard. Q

I don't think the sites themselves are doing it, rather a virus is scanning someone's favorites and sending out emails that emulate various domain names. Heck I got one from cnn.com a few days ago.

Attached Link: http://www.sarc.com/avcenter/venc/data/w32.klez.h@mm.html

thats part of the accual message header, i don't know why it says sharen, but that first one is a copy of the message header from the email i had just recieved, the second on is from the email that had the virus. Eather Viruses are getting really good at duping headers, and not just hiding the sender, or you guy's have one your scanners aren't picking up, thats the only thing i can think of.

If NetBios is up, that could be the computer name. In reference to the "From Sharon " That is if I recall my header stuff right from playing with QMail. Tom

okay, depakotez you lost me, what do you mean "In reference to the "From Sharon " That is if I recall my header stuff right from playing with QMail"...Sharen

Golly, this particular virus has been "in the news" for weeks or months. We all know the virus does its dirty work by sending infected emails to people listed in someone's address book. We know this virus does the work on its own without the knowledge or help of the owner of the infected computer. Personally I think it's every computer owner's responsibility to remain informed, and self-protected. That includes knowing that you can't accuse someone of giving you the virus just because the damned virus likes to play tricks. We're smarter than that. I think it's incredibly irresponsible to post a message that accuses someone of spreading such an infection/virus. In this case you've chosen two of the nicest and most generous people I know. Spend some time searching through any forum here at Rendeorsity, and you'll know you're totally wrong on your assumption. Then you can apologize.

Okay, just to make sure again, we downloaded the tool to get rid of all Klez's. We ran it and it came up with nothing, we scanned a full scan, nothing, I don't know what to tell you....let me ask you something though, you said it infected your computer, how did you know that, what did your computer do with this virus? I know that it is suppose to disable Virus protection, mine is still running, what else does it do? Sharen

Whatever ron, i know This virus, yes, i've read about and 1) for the virus to get sent out someone has to have it. 2) you have to be in that persons mailing list. 3) it does not modify the complete header of the email only the 'sender' address. So whatever anyone thinks, whatever anyone says, i was trying to be fucking helpful and prevent others from getting it as well. I don't give a crap if you think its irresponsible, from what im seeing this message came directly from somewhere on there server. Wheather it be there Mail server, or one of there networked machines, it orentated from there. Me apologizing? hell no, i ain't appologizing for squat at this point. Piss on it, Like i said in the begining I was TRYING TO HELP PREVENT ANYONE TO GET IT AND WAS SUPPLYING THEM WITH A TOOL SO THEY COULD MAKE SURE THEY DIDNT. Go bite off whoever's head your really upset with ronknight.

Listen, before we get into a full fledge war, I appreciate anyone notifying me that we might have a virus, they are nasty, and I for one wouldn't want it on my computer, you did notify me Caleb68, I am trying my hardest to find out what is happening, and it is just beyond me, I have tried to fix it, but keep coming up empty, I just want to know a way to find out if I have it. I do not expect an appology from you, I just don't want to panic everyone unless I do have it, and to be honest with you I just can't find proof that I do, if any one can help us out, I surely would appreciate it. Desparetly seeking solution, not war.....Sharen

BTW, I called Symantec, there tech support said, if I can run Norton Anti Virus, and have all the updates (they plugged into me while we were on the phone too), they said if I had the Klez H, Norton would not run. Any more suggestions would be helpful? Sharen

Sharen, you have two good antivirus programs. You've "done your homework" and verified you're not infected. You don't need to worry any more. I'm very sorry caleb68 chose to respond in such a violent manner. It appears he just needs to take care of business, catch his breath, regain his composure. Personally I'm pissed that someone can continue to dig in deeper once the mistake has been pointed out. But then I get a lot of that crap around here. And I find most of it totally un-necessary, assinine and childish. I either learn to live with it or I'll just say "screw you" to all the idiots. I do still care, and Sharen, you are one of the people who don't deserve this kind of treatment.

My ISP scans for viruses and initiates a trace when they find one. In my case, the virus seems to have originated from Asia and piggybacked on a email from Rosity. They have a name and they are making inquiries. If it's a Klez, it's evolved quite a bit. Stay cool, Q

Norton won't run if you have the Klez.H virus if norton gets infected with it. easiest way is to take that tool i supplied at the beginning and run it with /scanfiles, if its there it will detect it even if its laying dorment. No sam, i wasn't upset with you, i was upset with Ron for assuming something that he shouldn't have. I want to know how it got your guy's header when the virus doesn't modify the whole header, the sender wasn't even modified like its sapose to. Its really anoying yes, and being the first virus thats managed to get threw to me in over 3 years, it is something that i am concerned about. Considering its ur guy's full header, and looks to be the same besides one minor ip difference ( 24.92.226.122 vs. 24.92.226.169 meaning both machines are on the same subnet) I can only figure maybe its coming from the mail server.

A virus can pick up someone's email list and use that list to send out more viruses supposedly coming from that person's email. I just got a blank email from Renderosity.com with a virus attached to it. I've also had emails bounce back to me (supposedly one's that I have sent) saying the address can't be found. So what happens is, a virus can stay on various servers, spreading itself, long after the virus has been cleaned off of your computer - if you even had it to begin with. So please don't go jumping to conclusions, I'm sure the more reputable websites and brokers around here have better things to do than scare away their own customers by sending out viruses to them.

Sharen, The part of the header that says: " Received: from Sharen (roc-66-66-101-140.rochester.rr.com [66.66.101.140]) by mailout5.nyroc.rr.com (8.11.6/RoadRunner 1.20) with SMTP id g6BLMYL177988 : You'll see where it says Sharen there. That doesn't have to be the return email address but rather the computer's name, or the user's name on the computer. Basicaly, the computer identifies itself. Now, that header is very difficult to fake. But, the only real pointer would be the ip 66.66.101.140. Then again, I'm not sure, if Klez is able to fake headers that indepth or not. So I ain't saying it's you. Was just replying to where I lost you :) The thing you can do is test your computer's IP. If on a windows machine on Win98 you can go to Run and type in winipcfg. In the box that pops up it will give you the ip. If an NT based, like Win2k or XP go to Run and type in cmd, then when the command line pops up type in ipconfig, hit enter and it'll give you your IP there. Hope that helps some. If on a MAC, sorry I haven't done anything with them in too long to tell you how to navigate it's TCP anymore. Tom

Sharon, it may be on your isp's machine, to duplicate the header completely, though, unless your isp is stupid enough to be running m$ security hole central serverware, it shouldn't be vulnerable. I know that with the email's I have received from you there has never been any virus problems....netscape 7 doesn't seem to like html mail but that is a bug in the browser not a virus. ~g~ My isp (Shaw Cable) is stupid enough to prefer m$ products for their servers. so it is within the rane of possibilities that your isp uses them also. with me always interfacing online though a linux box, no virus gets through the unix security, never mind the av ware.

taken from : http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.gen@mm.html Email spoofing Some variants of this worm use a technique known as "spoofing." If so, the worm randomly selects an address that it finds on an infected computer. It uses this address as the "From" address that it uses when it performs its mass-mailing routine. Numerous cases have been reported in which users of uninfected computers received complaints that they sent an infected message to someone else. For example, Linda Anderson is using a computer that is infected with W32.Klez.E@mm; Linda is not using an antivirus program or does not have current virus definitions. When W32.Klez.gen@mm performs its emailing routine, it finds the email address of Harold Logan. It inserts Harold's email address into the "From" portion of an infected message that it then sends to Janet Bishop. Janet then contacts Harold and complains that he sent her an infected message, but when Harold scans his computer, Norton AntiVirus does not find anything--as would be expected--because his computer is not infected. If you are using a current version of Norton AntiVirus and you have the most recent virus definitions, and a full system scan with Norton AntiVirus set to scan all files does not find anything, you can be confident that your computer is not infected with this worm.

Caleb68, you're assuming your faulty knowledge is correct, and accusing someone publicly of being infected. You're causing them undue stress by insisting on this. Why not just shut up, fix your own computer, and call it a night.

oops realm of possibilities not rane of possiblilities

Meant to bold this part. This is where the FROM SHARON is coming from I would bet. For example, Linda Anderson is using a computer that is infected with W32.Klez.E@mm; Linda is not using an antivirus program or does not have current virus definitions. When W32.Klez.gen@mm performs its emailing routine, it finds the email address of Harold Logan. It inserts Harold's email address into the "From" portion of an infected message that it then sends to Janet Bishop. Janet then contacts Harold and complains that he sent her an infected message, but when Harold scans his computer, Norton AntiVirus does not find anything--as would be expected--because his computer is not infected.

Jaqui - exactly what i've been trying to say, thank you :). Ronkinghts - go talk to someone who cares what you have to say. no its not faulty knowlege about the virus, go read up on it before you shove your entire leg down your throat.

Hello, Just my two cents, but... There are new derivatives of existing computer virii popping up on a daily basis. So just because the anti-virus manufacturers, new sites, etc. say that a virus doesn't fake the entire header doesn't mean that someone out there hasn't "improved" upon the original virus. In my opinion, someone out there has your e-mail address and Sharen's e-mail address. The virus originated from that person's PC, faking the header to report that it came from Sharen's PC. I had this happen to me with a different virus. But that's just my opinion. Brian

storm rage - thats just the 'from' field, not the accual header.

Not entirely up to date on the virus since I don't get a lot of them.. 4 in the last 8 years or so. But Klex might have been "evolved" to spoof the header too If a new version is out and about. Not entirely hard to do for the right programmer who likes to cause problems. Anythings possible any more.

Right Caleb, The "Received: from Sharen (roc-66-66-101-140.rochester.rr.com [66.66.101.140]) by mailout5.nyroc.rr.com (8.11.6/RoadRunner 1.20) with SMTP id g6BLMYL177988" bit of the header doesn't mean the person's email address but their actual IP etc. It's not the from field, this is part of the mail header that usually only shows up if you ask for it because usally only mail servers have to worry about it. Though I know that QMail is a Linux/Unix app. And that's what this particular mail server was using. So, unless I'm behind on QMail it's not running on a Windows server and the serverhole on NT. Tom

thats feaseable but, they would have to have more then just sharens email address, they would need a header from one of sharens emails, as well as have my email address, to duplicate the full header of origination thats what would be needed. Not to mention 1/2 the header information is added in at the send server, so that would be a really intresting trick if a virus could pull it off, to change the header as it passes threw servers to get to where it needs to go, and at the same time keeping there modified header there as keeping the passthrew route. header spoofing has been going along for years now with email viruses, to try to hide who it came from, but like i said, for them to be able to match two emails to allmost pinpoint accuracy, thats pretty damn difficult, its alot harder then what it sounds.

Stormrage, I read that too, I downloaded the tool to get rid of it, it said we don't have it, Jaqui if my server (ISP) is infected should I contact them? Caleb, I will get to the bottom of this and will contact you, it won't be by email until I know for sure. Okay, gotta go get some more info. Sharen

Sharen, Your mail server is not infected. They are running QMail, which is impervious to Window viri like Klez. If in fact that was your IP etc. :) Tom

That's why my ISP's so agressive on this one Tom, I think. They feel it was aimed at them more than me. How a computer in Asia can bounce it off my ISP in Canada is beyond my limited understanding of such things. But I'm glad for the service. The first line of defence worked. Worth the 2 extra $ a month. Q

Attached Link: http://www.kasperskylabs.com

I am pretty sure Caleb put the right one down, so how did you learn that? But now what is the next step? Sharen

thanks sharen, would like to know whats up, I think it would be a good idea to contact the server. depakotez - yeah thats why I posted the full header from both emailings, to show im not being mental here.

Virus, I am off to read your link, thank you...Sharen

Folks! I got one from myself to myself! It really can happen. I run Norton on both my desktops and update every friday when the new defs come out. My work system email runs some godawful mil spec spyware and it told me my Yahoo webmail account sent one to my work address. I scanned the entire contents all files and inside zips on both systems and they were clean. If either were actually infected I would be getting a lot of complaints from people in my address books and I'm not. Yahoo is supposed to be running norton and scans all incoming attachments. None of us had it, but there is a webpage I generated that has both addresses. Klez not only scans the outlook mailbox it checks my documents and windows temp includinng webpages you visit. It reads text files and looks for the name@xxx.yyy pattern and trys all it finds as addresses. It will change the from in the message but usually shows the true sender if you show the routing information (press Bla,Bla,Bla button in Eudora). However, the one I got from myself still said the sender was me. This is just another way the virus pisses people off! They really could have not sent it. Lets all just agree to scan all our systems tonight.

Caleb68, if this takes all night, we will find out the solution, also a good friend of mine is testing my mail now also.....thank you Genny...Share

Now every body take a deep breath. 1) the KLEZ virus fakes all header info 2) the KLEZ virus takes email info from the address book for both 'to' and 'from' headers. Ergo, someone who you both know has KLEZ 3) KLEZ is an Outlook only virus. Your chances of having it if you do not use Outlook are very, very small 4) KLEZ is old, and easily detected by most virus scanning software Okay? so every body chill out some. Lyrra

Klez is old, klez.h is newer, along with a few other klez.xx versions. anyhow... its cool sams3d.. theres a tool posted... people can take it or leave it, i managed to get rid of it from mine. lyrra - I still still can't see how it can change a full header before a email is sent, considering that the header info is made up along the way. P.S. were did you get your info from? i'ld like to read what your reading considering everyone else i've read is saying partial info, not full. thx in advance

Sharen (sorry about the Spell mistake in my previous message)I Hope the information there will be usefull for you. Caleb's link fo the removing tool is usefull too. Hope your system is clean. Best Regardings

Attached Link: http://www.viruslist.com/eng/index.html?tnews=1001&id=48733