Received a very dodgy-looking eMail. It also had two attachments, one .txt and one .bat !! Saved the eMail to disk and scanned it with both AVG and NAV; no virus was detected. Saved the two attachments to disk. Opened the .txt file with Notepad and it was just a list of links. Changed the .bat extension to .txt (with a view to reading it's contents) and AVG then jumped in with KLEZ VIRUS WARNING. Dealt with all of that, no virus got in and have a clean system.

Now I had thought that scanning the EMAIL would have picked up a virus in the eMail and ALSO in it's attachments - but this was obviously a potentially disastrous mistake. So what I am asking is this:-

When both NAV and AVG scanned the eMail, were they just scanning for malicious scripts in the eMail's HTML or what else were they doing? And, was I foolish to presume that the attachments were OK, without having scanned both of them individually? not that I would ever have ran/opened an unidentified batch file anyways.

New method of delivery?

AVG should carry updates that are current
enough to have picked it up with an incoming
e-mail scan.

Makes me wonder why the double attachment. The
.bat file must have been a tag along off of someones
address book.


RD.

that's why I have OE6 set to NOT allow attachments at all.. if you need to send one to me you need to let me know in advance.

also, that is why I don't install AVG (or another av-app) because they don't really catch anything anyway until it is already in a position to harm you.

{{my opinion}}

I do however take advantage of the online scan once a week.

;)

Hmmm....seems like Klez is just getting nastier and more persistent all the time.

These days being online is almost like living in a medieval city...it is very likely that you will get sombody's chamberpot dumped on you if you aren't careful....

I know I did not run McAfee's background monstrosity but I seldom get any attachments. I am running AVG now and I don't notice much of a hit in the resource/speed department. So I go with it. Haven't really caught much with it yet, once I did end up with nimda in my TIF, but since that is on a RAM disk there wasn't much worry about it. AVG did catch that one. If it is caught before it has installed the AV has done its job.

Anyway, Paul, do you have AVG set to scan .bat files?

And was the bat file a double extension file?

NAV was about 2 months out of date. AVG was bang up to date and set to "Test ALL Extensions" (including "Internally Compressed", "Archives", "Integrity Check" and "Heuristic Analysis"). The double attachment combo of a .bat file (the virus) with a file taken at random from the originating pc and renamed is the normal setup for Klez.

Not sure about the double extension, it was something like abc.32.bat or just abc32.bat. I got such a shock (wasn't expecting it after the negative scans) that I just went straight ahead and deleted all the saved attachments, the emails etc, etc, did two full system scans, searched the HDD and the registry for wink and *wink* and re-read the info from Symantec.

The only reason I didn't delete it straight off was that the subject line was undelivable mail from my own domain webmaster (this is a known ploy of Klez - I now know). Also I have been having problems getting mail forwarded to just that eMail address from the Domain Hosts (cgi/perl on a unix platform) so I thought this was one of my own test eMails which had finally bounced; the rest had gone off into space somewhere. I also know the source since the eMail address doesn't appear on the website HTML and only once had I used it to send mail myself. They have been informed!!

I had also peeped at the message headers before doing anything at all but of course the From: eMail addy was a forgery taken from the sending pc's address book.

AVG did its job OK - but only partially so. The initial negative scans lulled me into a false sense of security; if I had scanned the attachments individually then I guess both NAV and AVG would have got it in one. I'll never know what would have happened if I had just opened the .bat file!!! Some fireworks maybe. :D

Final thought is that some variants of Klez can activate the virus on viewing/previewing - others don't. I can only guess that the absence of such script in mine was why, not only did the virus not activate, but was why the a/vs didn't detect it at stage 1. I wish now I had zipped-up a copy or at least copied the text of the headers, because I would like to re-read all the message source more carefully.

It is a real dangerous menace and got through ZA, NAV, AVG and Hotmail's own A/V before it was pounced-on when I tried to see what it was made out of! :D

Hi paul,

I had one a while ago, & as soon as it arrived in my inbox AVG popped up with a message 'suspicious file' (or something) and an 'ok' button.

I didn't know what to do, & eventually had to click the ok button to clear the screen. there was no other mention of it.

eventually I found the attachement 'encrypted' in the AVG vault.

the e-mail itself was ok.

AVG had done its job, just a pity that the pop up didn't tell me what it had done.

Paul Have you checked the settings in AVG. If you look in Control Center, E-mail advanced settings, there is an option to certify mail both incoming and outgiong. there is then an option to scan attachments. Seems to be turned off by default but I'm not sure of that as it's a long while since I installed it.

David

Both scan incoming and outgoing (plus certification) were and have always been enabled. The "with attachments only" box was left unchecked; so that it would scan ALL eMails, both with and without an attachemnt. Nice thought though.

And yes, btw, it was downloaded using OE from a Hotmail Inbox. Also my OE Security settings are set to restricted sites; the restricted sites are definitely also set to prevent any Scripts or ActiveX controls, etc. from running and the preview pane is disabled.

I tell you; this is one sneaky son-of-a-b! Maybe it IS a new variant - I am cautious (to the point of paranoia with respect to viruses) and I thought I was well protected; and YET it so nearly got me! It wouldn't have had a sniff at all though, if I hadn't actually been expecting an undeliverable mail and wasn't by nature nosey about how things work. :D

to know.

thanks

(as you can see I have been following this thread)



;)

:p

A bloodhound AND an absence of flies! ;)

PS Vic; nothing in my AVG vault; completely hollow.

:D

maybe it shows the state of battle between virus & antivirus.

I have eMailed Grisoft and will report back if they have any answers/ideas.

Paul
have you tried using Jason Levine's "Script Sentry"? Sits in the background and uses no resources until it springs to life with a warning. Just select every box you can find in the configure section and it catches everything that LOOKS suspicious. Will not conflict with any other AV prog. Works with MS word etc as well
Go here to download it.

http://www.jasons-toolbox.com

Ernie I just so hate it when someone recommends another bit of software to try-out: (J/K :D J/K). Coz I just have to go and try it out!!

Truth is that very soon it will only be safe to run text mail and never accept attachments. Klez has rapidly become the most "successful" and widespread virus - I hate to imagine what the next "upgrade" may do.