View Full Version : Mr. Klez Still in town

08-07-2002, 10:06 PM
Just a little reading for those of you that forgot about our ol' buddy "KLEZ" (http://www.pcworld.com/news/article/0,aid,103259,00.asp)

08-08-2002, 01:07 PM
Hi jabarnutcase,

Yes a friend of mine had two klez h at the weekend.
Her comp just shut down auto for some reason.
So I explained to her how to upgrade and she's just done it.


08-21-2002, 07:51 AM
Hi Guyz, I know the feeling, wish I knew who the wise people are that have nothing better to do than invade peoples private domains, Netgate Crashers, If only one could imediately re direct viruses or is it viri back to their place of origin, wishful thinking I suppose I say all out war on crackpot Geeks.

08-21-2002, 11:09 AM
Good read about Klez...the only problem is too many people don't know/don't care enough to follow most of the steps outlined in the article (no preview, don't click on attachments...and most importantly, keep and update an AV)

08-22-2002, 12:39 PM
MJC Hi I have just accessesed my e-mail and low and behold a message from this forum adviseing me that a reply to my posting of yesterday was awaiting my perusal, then Norton advised against opening it because! you`ve guessed it Mr. Klez arrived. I have quarantined it and on exit will delete it, any suggestions Guys on what the hell and where the hell did it come from.
Looking forward to your comments

08-22-2002, 02:05 PM
It sounds like someone who reads this forum didn't like your comment about "crackpot geeks". :eek:

I had something similar happen on eBay when I gave negative feedback to a buyer who stiffed me and got porn SPAM in my email the next day. No way to prove how my email address got on their mailing list, but it was quite a coincidence. That is what prompted me to get MailWasher which has also kept me from getting Klezed a few times.


08-22-2002, 05:39 PM
I want to see that email....zip it up if you haven't already gotten rid of it and then contact me...(PM or email).

08-22-2002, 05:56 PM
I was KLEZed a couple of days ago. Don't know where it came from but it sure didn't take long to notice it. Within an hour of infection any and all programs that were opened became infected and failed to run. The only reason I even suspected a virus was that the programs didn't stay up long enough for me to read the error messages. Had to run a KLEZCleaner to get rid of it.

This is the first virus I've had in well over 5 years and it sure was a pain to get rid of.

08-23-2002, 07:10 PM
The plot thickens, just had another but zapped it, Klez again, Sorry MJC Norton advised against opening them so I scribbled them. Surley there must be amongst this August body a way of tracking down the author/s originators of this garbage and giving them a taste of their own medicine or worse! any way folks I am thinking of changeing my e-mail add, or something, I am certainly not going to free fall of the nearest sky scraper without a para glider. Budfred, pass that by me again, how I down load Mailwasher :mad: :mad:

08-23-2002, 07:23 PM
You should be able to download it at:


If you use it, check your mail from it and be aware that the main Klez files will weigh in at something like 135 megs and they usually really suspicious sounding titles, so you can often delete them before you let them onto your computer at all. There are smaller Klez emails, but I have been told that they are just splinters of the main program and they are harmless. I delete them anyway. The only one I let through was because the title looked like something that might have come from a buyer at eBay asking a question and I didn't know about the size thing. Norton AV caught it immediately and I deleted it from there, but I don't even want it to go that far.


08-24-2002, 08:58 AM
Thanks Budfred for the inf, MJC I think the virus appeard when the message to check out this site for a posting on the 21st inst re Mr klez etc, it obviously attached itself to the message, it was No. 0002 and when I accessed the site another one appeared No. 0004, Q. where are Nos. 1 and 2 :confused: Any ideas Guys that also means Dolls. It is a friendly non gender term. ;) Seriously this situation has to be curtailed and stopped. I have also been recieving requests from Nigerian and Sierra Leone to invest $Mega Bucks for them off shore where did they get my add. from, think I will hand it to the Brit Police.How can I stop this garbage???

08-24-2002, 11:40 AM
I really need the complete headers from one of the mesages from the here. I have gotten several emails from the site recently and they are clean....

The Nigerian spam scam is running rampant right now, the best thing is to submit them to the authorities, your ISP and maybe set up some filters to automatically delete them. The Nigerian Police have even set up a special site for it, but I will have to look up the addy....

08-24-2002, 02:12 PM
Yes, pretty strange. I have receieved many emails from the site lately about new posts, (Including several about this thread since I started it) and I have NEVER had a virus in any of them. Everything clean and a-ok!
It sure doesn't seem that a virus could be originating from the Guide or we would all be getting hammered with them, so something is happening along the way.
Of course, I am totaly paranoid about virus's- I have sure seen what they can do- So I follow not only all the advice from the PC World article, but other advice I have picked up here and other places.
One can't be too careful these days.

08-26-2002, 11:17 AM
Sorry guys, I am not implying the virusi came from the site, They must have attached some way or some how. They appeard at the same time. This is a great site, very interesting. Thanks for all assistance and comments, virusi/es just bug me. :mad: MJC, I just dispatched them into the garbage, where they belong without noteing the address, next time I will make notes.

08-26-2002, 01:29 PM
If you are using OE, make sure the preview pane is off and then right click on it and select properties => details => message source and the cut and paste the headers.....send me or post them here, that will help in tracking down where it came from.

Paul Komski
08-26-2002, 06:24 PM
Don't forget folks that if the infected mail "appeared" to come from here then it almost certainly did not; that's the way it implicates an innocent third party.

08-26-2002, 08:22 PM
I think it very likely that these people frequently read and keep up with P.C. Guide and others like it. I haven't had a virus in a while now(knock on wood) but the last on I did get had an interesting subject line "get a virus cleaner here." or something like that.:rolleyes:

Paul Komski
08-26-2002, 08:34 PM
Klez even sends itself as Klez Removal Tool. :mad:

08-26-2002, 09:11 PM
Yep- It mentions that in the PC world article...And a friend of mine got one! :eek: Nasty little buggers!

A little side note...I actually know people that brag about not using AV software and "Never having a virus"
HeHe..Guess what? That friend of mine that got the "Klez Removal tool" is now using NAV religiously! After a reformat that is...:eek: ;)

08-27-2002, 12:57 AM
There is one interesting point though, it seems that these mails where auto-responses to posts...very suspicious, to me at least.

And since this site is remotely hosted, not kept on a mchine in Charle's office, it is entirely possible that the email server has been compromised. That is why I am interested in what they where, yes I know that you did what was best for your system, but it would have been nice to see the headers.

08-27-2002, 06:30 PM
MJC, here is one for you . Cell Padding. From KAYLHAN@Hotmail.com. W32 Klez'MMVIRUS.COM. I forgot that I did make a note of it, hope it helps

08-27-2002, 06:53 PM
Here I am showing my ignorance again.
IF someone recieved a virus and suspected it came form the forums, you say that you would like to see the header etc. How could that be sent to you (or anyone) without passing on the infection? Or setting it loose on my comp? Could be others wondering the same, and would be handy knowledge for future reference

Paul Komski
08-27-2002, 07:30 PM
In OE. NO PREVIEWING OR OPENING. R-Click on the mail in its Inbox (or other folder) and select "Properties". On the Details Tab choose "Message Source". Maximise it if you want to; highlight and copy all the text that is there. This is the safe way to read a mail and its headers in OE.

With Popcorn, having seen the mails on the server remotely, you would just download the headers.

08-28-2002, 08:09 AM
Paul Komski, What is OE and Popcorn:( This thread is getting very interesting and informativeto my self at least haveing just qualied for a Comp/Tech Diploma

Mitch Hatfield
08-28-2002, 08:33 AM
On Paul's behalf, because I know he'll be out right now:

OE is Outlook Express which many Window's users have as their default Email manager. See below:


Popcorn is one of many alternatives to OE, although I don't think that it's freeware:

<Popcorn - Email Product Summary
... Guide Review. Small IS Beautiful I wish more software ... it excels at what it was built
for: accessing email ... Unfortunately Popcorn can only access one account at a ...

email.about.com/library/ec/pr/aapr_popcorn.htm - 42k - Cached - Similar pages


Hope this helps, but Paul may want to post as well:D :D

08-28-2002, 11:17 AM
Possible theory...

I was infected by KLEZ a couple of weeks ago. I checked one of my web-based accounts (dogmail.com) and found 2 messages that had been sent from my machine to this account. The messages were both around 125K and contained nothing but header information.

Without reading up on KLEZ and all of its mutations, is it possible that KLEZ could tap eudora files stored on a backup disk and distribute itself via those files?

08-28-2002, 11:51 AM
Possible, if Klez can grab the Eudora address book too..not sure about that one.

Also with any of the newer M$ offerings, that have a system restore feature, you need to disable the restore and clean out the files there in order to have a chance at totaly removing Klez. I am becoming more and more convinced the only way to deal with klez is to wipe the drive and start fresh, possibly even dumping backups made around the time of the infection. All the available cleaners for it just seem to fall short somewhere.

08-28-2002, 01:21 PM
At the time that I got it I was already in the process of scrapping the whole system. I had been experiencing system issues due to a corrupted win98SE install and had just finished backing up critical files when I received a file with KLEZ attached. I had to run a cleaner (NAV supplied) to get rid of KLEZ before I could kill the system. All of my backups are on CD so no chance of KLEZ getting on there. I couldn't even run my CD Burner software when I had KLEZ.

It crippled the system.

And if it is possible for it to read the Eudora Files (Not Address Book, but actual message files) then it might have been able to glean the PCGuide data from there.

09-02-2002, 01:57 AM
Klez is an e-mail spoofing virus.

Do any of your frinds also use forum?

Have you had a private e-mail from someone at the forum?

If so they have your e-mail address.

Lets say your friend John is Forum member. He has the Klez. Klez want's to send itself to you but it doesn't want you to know it came from John. So the little bugger sends you the e-mail with PC forum information.... pretty neat.

Want more info: click here (http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.h@mm.html)

09-02-2002, 11:50 AM
Hence my obviously idiotic question in another forum. Can e-mail add`s be ommitted from these forums. Believe it as you may that there are strange people from near and afar who just log onto various forums to create problems .To them it is the norm, to people like myself I think and so do many others who aggree with me that they are miss beguided to say the least and be very polite :(