It used to be that I never got a virus through my e-mail. Well--almost never. But, for about the last 3 or 4 weeks I've been getting a lot of the Klez virus/worm. It causes no problem because my Norton virus program always catches them and quarantines them. But, I'm wondering why all of a sudden I get 1 or 2 each day. Sometimes I'll go a couple of days with out any, but on the average it's about 1 a day. Has anyone else been having the same experience? If not, is there any reason why I'm am getting hit so hard all of a sudden? Thanks.
Frank

not sure??Is this only happening on one e-mail addy? You may have to collect the info on who sent it and then send it to your isp and tell them that it keeps looping back to your mail account?? As long as it has not infected your system then it is on there mail server?

It still would not hurt to go to your AV site and D/L the Klez removal tool just to make sure.Becouse Klez will mess with an AV program.

Means of propagation:
Email:
This worm searches the Windows address book, the ICQ database, and local files for email addresses. The worm sends an email message to these addresses with itself as an attachment. The worm contains its own SMTP engine and attempts to guess at available SMTP servers. For example, if the worm encounters the address user@abc123.com it will attempt to send email via the server smtp.abc123.com.
From this link ---> http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.h@mm.html
In other words somebody (figuring who it is will be next to impossible) that has your email addy is infected with Klez.
___________________________________________
Ron

This is not infallible but will give you a good indication of the true origin of an eMail. (BTW Search Google for sites that deal with spam to look into this in more detail).

View the message source. (In OE, highlight the mail then from the File menu select Properties and click the Tab Details).

Then scroll till you see the normal mail headers, From, To, Subject etc. Then move up till you "hit" the first line that starts Received: (From the top down this will be the last of any starting Received:

This line can have a number of formats but might look like this:-
Received: from ComputerName (something.iol.ie [194.165.XXX.XXX]) by fargo.iolfree.ie (8.9.3/8.9.3) with SMTP id ABC123456 for <yourname@yourisp.com>; Sun, 24 Nov 2002 20:05:34 GMT

The most relevant bit is in bold above. The IP address 194.165.XXX.XXX is where this Email originated. You may either recognise this or can look it up using reverse DNS.

If the mail has not been spoofed, the Computer Name will be the name of the originating computer and the domain iolfree.ie should match the IP address. If the originating ISP doesn't match the From: (or Return To:) Field then some forgery/spoofing has been perpetrated by someone or something.

If you get into a habit of checking out these details it becomes relatively easy to recognise your regular contacts' computer's eMails from these headers. It is very easy to spoof from, etc, but at some point the eMail must have been put onto the internet and the receiving mail server starts entering its data at that point. Subsequent transfers of mail on the internet will have additional Received: lines added by each server immediately above the previous one.

You may thus discover that the same computer is sending you the same virus repeatedly, etc etc. Bear in mind that if the computer dials up with a dynamic IP, the IP Address, and particularly the XXX.XXX, will be a little different each time.

Next time I get one--and I know I will within the next day or so, I'm going to see if I can trace it back to its origin. On the ones that I had, after Norton quarantined them, I deleted them. I have Outlook Express, so I then went into my Deleted Items and permanently deleted them. Thanks for our input.
Frank

UXN Spam Combat (http://combat.uxn.com/) has a very good lookup page, there you can lookup IP Addresses or domain names just about every way you can think of.

Klez is still one of the most prevalent viruses out there, and is still making its way into computers every day. It spoofs the address it was sent from, so it actually comes from one person's computer but says in the headers it came from another. so as mentioned above, someone who has you in their address book has Klez on their computer. Every time they get on the Internet it sends itself out to their entire address book, including you.

Two things you can do to help make your machine a bit safer...

1. Open Outlook Express and turn off the preview pane by going to View\Layout in the menu bar, and unchecking the box that says Show Preview Pane. Klez and a number of other viruses can be activated by viewing in the preview pane, that's how Klez hit our shop a couple of weeks ago.

2. Add a new contact in your address book, give it a name like 00000!01 0001 or similar, just so it's mostly zeros and will be the very first contact in your list, then DO NOT give it an email address, just the name and that's it.

If a virus does infect your computer, it can't send itself to everyone you know because it can't send itself to that first contact. It has to finish sending to that one before it can send to any others, and with no email address to send to, it hangs at that point.

This trick works quite well, I added a similar contact to my father's computer long ago, and about a month ago when Klez infected his machine, nobody in his address book was hit. I would have gotten a copy, and the rest of my family, I checked and they were all clean.

His computer still was infected, I removed nearly 100 infected files with an AVG rescue disk, plus the EL Kern virus, which Klez often drops, but it was not able to send itself any further, so he did not participate (however unwittingly) in the spreading of the virus. He liked that...His preview pane is now turned off, he likes that too...

I was getting attacked by Klez frequently a few months ago, someone who had my address was infected. I use MailWasher, so I just learned to recognize the signs of a Klez message and deleted them before downloading. I only accidently let one through and Norton AV caught that. You might want to think about using MailWasher or a similar program to reduce the threat and the hassle.

You can find it here:

http://www.mailwasher.net/

Budfred

I got another one today. I looked at the message source and it appears to be coming from someone who has a Road Runner account from Western Ohio. I also have Road Runner with Western Ohio. So it's probable coming from someone in my area. I sent the information (what appeared to be the IP address, etc.)to Security at Road Runner. Hopefully they will be able to track it down for me.

It is probably going to turn out to be a friend of yours or at least somebody who has you in their mailing lists. The people who distribute Klez or similar virii are guilty only of not adequately protecting their own systems from infection. These malware programs steal the email addresses and distribute themselves to the person's friends and acquaintances without their knowledge.

Budfred

You might get a match from old eMail headers if you have old emails saved. Tedious if you have a lot of contacts that might fit the bill - and if RR got the mail headers they should be able to trace it OK.

Any PC anywhere that has your eMail addy on it (and not just in the address book) could have been the originating PC - but the most likely is from one that has you as a contact in it or that has had multiple forward to: addresses sent to it (with yours included in the list of course).

Well--I think I'm just going to "live with it" since my anti-virus program catches it and quarantines it--and it's really not doing me any harm except for the fact that it ticks me off. I sent a message to Road Runner and they responded with some sort of an automated response which said they would get back with me. A couple of days later I got another automated response with words something like "We're sorry but if the problem did not initiate from our end, there is nothing we can do." I sent them another message along with a copy/past of all the text that I found in Message Source. I said to them that it appears that it did come from someone who is with Road Runner. I've gotten no further response from them. So it appears that either they *can't* or *won't" do anything about it. So I'm just going to leave it go and except it as "one of those things". Next time I get one, I'm going to try and smile instead of saying "Oh s---" Thanks to everyone who had some input on this.
Frank :) :) :) :)

I'd still really urge you to use MailWasher or something like it. It makes it a lot easier and safer than relying on the AV software to catch it. Also, I think it is kind of fun to bounce SPAM.:D

Budfred

I'm going to download mailwasher and give it a try. Even though I don't get too much Spam, it sure would give me a good feeling to be able to bounce it back. Thanks.
Frank

I went to that web-site for MailWasher. I noticed that they have two versions. One is the Stable version 1.33, and the other is their Beta version 2.0.19. I downloaded both files but have not installed either one yet. Which one do you use? If you use the Beta, is it working OK?
Generally, I don't use Beta versions--sometimes I do but usually I don't. However if you are using it without any problems, I think I'll go ahead and use that one.
Frank

Let me put it this way......I believe that Mailwasher's betas are more stable than OE6.

More often than not, with Mailwasher, the betas are just making sure that the new features are actully working as desired, not to see if they are working at all. There are just so many variables that the developer can't test them all, but he knows the features should work ok in standard setup. The most common problem is with the Hotmail feature or the bounce option, but many times the bounce problems are not really a MW problem but that the ISP doesn't allow the user to bounce...

I have been using the Beta, but it has been having some problems in just the last couple of days. I get a notice saying the bounce has failed. Since it deletes it anyway, I haven't really worried about it, but I plan to investigate further this weekend. I changed some settings last weekend, so it may be my fault. You might want to start with the old tried and true version though.

I only get one or two SPAM a day, but I hate even that, so I love to bounce it. This is on my email account where I have done eBay business and the SPAM seems to come from that association. I figure I will eventually shut it down and open another, but I am not done with selling my comics on eBay yet.

Budfred

Not every mail is bounceable!