RE: [LIB] Klez/etc
Date: Wed, 31 Jul 2002 07:48:58 + From: "neil barnes" <[EMAIL PROTECTED]> Subject: RE: [LIB] Klez/etc >Date: Wed, 31 Jul 2002 08:41:12 +0800 >From: Raymond <[EMAIL PROTECTED]> >Subject: RE: [LIB] Klez/etc > >At 10:15 AM 30/07/2002 -0700, you wrote: >>Date: Tue, 30 Jul 2002 10:08:28 -0700 (PDT) >>From: Charles Hawtrey <[EMAIL PROTECTED]> >>Subject: RE: [LIB] Klez/etc >> >> >> > From: "Lines, Nick" <[EMAIL PROTECTED]> >> > >> > The point has been made many, many times, but the way viri like these >> > sods >> > now work is to not only send mail TO everyone in a contact list in >> > Outlook, >> > but also set the FROM address to be someone in the outlook address >>book. >> >>Unless I'm missing something, isn't the obvious solution "don't use >>Outlook"? Regardless of Outlook's intrinsic merits or demerits, it's by >>far the most popular target for viruses of any email program. So why not >>use something else? > >The problem isn't that WE are using Outlook. The problem is that whoever is >INFECTED is using Outlook and unfortunately has Nick's (or whoever's been >spoofed's) email address in THEIR address book. That's the problem with >this virus, it pretends to be from other people (in this case it pretends >to be from Nick) so the actual infection is a lot harder to trace, >especially if the email servers along the way don't mark the email. I could >be using the Pine mail client and Nick could be using the Elm mail client >(both about as virus proof as you could get as far as this sort of stuff is >concerned) but if a salesman who's got both our emails is using Outlook and >is infected, Nick could get a flood of Klez virus emails that look like >they're from me and vice versa, and if the email servers along the way >don't mark the emails, he'd have no way of knowing they were NOT from me >(unless of course he knew that the Klez virus actually does this). Agreed - those of us who *don't* use Internet Exploder and Lookout are pretty confident that we didn't originate this. :) Though I'm being careful not to point any fingers without evidence (there's certainly no evidence that it's come from Nick), and it's damn hard to find anything that these viruseseses leave behind them, apart from damage... Klez and/or nimda are smart enough to examine the hard drive - in particular the explorer cache - to find useful addresses, apparently. Neil _ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx ** http://libretto.basiclink.com - Libretto mailing list http://www.silverace.com/libretto/ - Archives ---TO UNSUBSCRIBE--- Reply to any of the list messages. The reply mail should be addressed to: [EMAIL PROTECTED] - Then replace any text on the message's subject line: cmd:unsubscribe TO UNSUBSCRIBE DIGEST-- Do above but with this on subject line: cmd:unsubscribe digest **
RE: [LIB] Klez/etc
Date: Wed, 31 Jul 2002 05:00:24 + From: "Matthew Hanson" <[EMAIL PROTECTED]> Subject: RE: [LIB] Klez/etc >From: Raymond <[EMAIL PROTECTED]> > >In fact, it just occurs to me, this virus isn't Outlook specific anyway. It >has it's own email sending code so once it infects a computer, it looks for >ALL address books regardless of if you use Outlook, Eudora, Netscape or any >webmail service (assuming you've got a cached local copy of your address >book) and spoofs one to send to the rest. Not only address books, it goes through many (all??) other of the system's files looking for email addresses: http://bulletin.ninemsn.com.au/bulletin/eddesk.nsf/All/A3D3842B1C03DC94CA256B640019A051 "Once Klez has infected you it scours your computer's hard drive looking for email addresses. The addresses don't need to be anywhere in particular; they might be in a word-processing document, a memo or even in your email address book." I wonder if Klez is gleaning email addresses from the temporary Internet files dir: C:\Windows\Temporary Internet Files For kicks I did a search on that folder and subs for my email address and came up with 65 results. I noticed that Hotmail leaves files there named: getmsg[#].html. So I did a search there for getmsg*.html, then sorted them by time/date, and came up with Hotmail messages from the list from the following list members: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Now I can reason out how my address and Ehud Baraks email address may have been found on the same computer if Klez is able to go through more than just an email programs files. Some NetVision user and list member could have been reading a local newspaper article online. S(M) _ Send and receive Hotmail on your mobile device: http://mobile.msn.com ** http://libretto.basiclink.com - Libretto mailing list http://www.silverace.com/libretto/ - Archives ---TO UNSUBSCRIBE--- Reply to any of the list messages. The reply mail should be addressed to: [EMAIL PROTECTED] - Then replace any text on the message's subject line: cmd:unsubscribe TO UNSUBSCRIBE DIGEST-- Do above but with this on subject line: cmd:unsubscribe digest **
RE: [LIB] Klez/etc
Date: Wed, 31 Jul 2002 08:48:56 +0800 From: Raymond <[EMAIL PROTECTED]> Subject: RE: [LIB] Klez/etc At 05:45 PM 30/07/2002 -0700, you wrote: >Date: Wed, 31 Jul 2002 08:41:12 +0800 >From: Raymond <[EMAIL PROTECTED]> >Subject: RE: [LIB] Klez/etc > >At 10:15 AM 30/07/2002 -0700, you wrote: >>Date: Tue, 30 Jul 2002 10:08:28 -0700 (PDT) >>From: Charles Hawtrey <[EMAIL PROTECTED]> >>Subject: RE: [LIB] Klez/etc >> >> >> > From: "Lines, Nick" <[EMAIL PROTECTED]> >> > >> > The point has been made many, many times, but the way viri like these >> > sods >> > now work is to not only send mail TO everyone in a contact list in >> > Outlook, >> > but also set the FROM address to be someone in the outlook address book. >> >>Unless I'm missing something, isn't the obvious solution "don't use >>Outlook"? Regardless of Outlook's intrinsic merits or demerits, it's by >>far the most popular target for viruses of any email program. So why not >>use something else? > >The problem isn't that WE are using Outlook. In fact, it just occurs to me, this virus isn't Outlook specific anyway. It has it's own email sending code so once it infects a computer, it looks for ALL address books regardless of if you use Outlook, Eudora, Netscape or any webmail service (assuming you've got a cached local copy of your address book) and spoofs one to send to the rest. Of course, if you only telnetted into the mailserver and kept your address book on a remote computer (preferrably Linux/Unix/something not vulnerable to Klez) then you couldn't be the source of the infection but that STILL doesn't stop someone else's infected computer from sending emails in your name ... *sigh* - Raymond --- /~\ | | "Does fuzzy logic tickle?"| | ___ | "My HDD has no reverse. How do I backup?" | | /__/ +---| | / \ a y b o t | [EMAIL PROTECTED] | | | Need help? Visit #Windows98 on DALNet! | | ICQ: 31756092 | Libretto IRC channel #Libretto on DALNet! | \~/ ** http://libretto.basiclink.com - Libretto mailing list http://www.silverace.com/libretto/ - Archives ---TO UNSUBSCRIBE--- Reply to any of the list messages. The reply mail should be addressed to: [EMAIL PROTECTED] - Then replace any text on the message's subject line: cmd:unsubscribe TO UNSUBSCRIBE DIGEST-- Do above but with this on subject line: cmd:unsubscribe digest **
RE: [LIB] Klez/etc
Date: Wed, 31 Jul 2002 08:41:12 +0800 From: Raymond <[EMAIL PROTECTED]> Subject: RE: [LIB] Klez/etc At 10:15 AM 30/07/2002 -0700, you wrote: >Date: Tue, 30 Jul 2002 10:08:28 -0700 (PDT) >From: Charles Hawtrey <[EMAIL PROTECTED]> >Subject: RE: [LIB] Klez/etc > > > > From: "Lines, Nick" <[EMAIL PROTECTED]> > > > > The point has been made many, many times, but the way viri like these > > sods > > now work is to not only send mail TO everyone in a contact list in > > Outlook, > > but also set the FROM address to be someone in the outlook address book. > >Unless I'm missing something, isn't the obvious solution "don't use >Outlook"? Regardless of Outlook's intrinsic merits or demerits, it's by >far the most popular target for viruses of any email program. So why not >use something else? The problem isn't that WE are using Outlook. The problem is that whoever is INFECTED is using Outlook and unfortunately has Nick's (or whoever's been spoofed's) email address in THEIR address book. That's the problem with this virus, it pretends to be from other people (in this case it pretends to be from Nick) so the actual infection is a lot harder to trace, especially if the email servers along the way don't mark the email. I could be using the Pine mail client and Nick could be using the Elm mail client (both about as virus proof as you could get as far as this sort of stuff is concerned) but if a salesman who's got both our emails is using Outlook and is infected, Nick could get a flood of Klez virus emails that look like they're from me and vice versa, and if the email servers along the way don't mark the emails, he'd have no way of knowing they were NOT from me (unless of course he knew that the Klez virus actually does this). - Raymond --- /~\ | | "Does fuzzy logic tickle?"| | ___ | "My HDD has no reverse. How do I backup?" | | /__/ +---| | / \ a y b o t | [EMAIL PROTECTED] | | | Need help? Visit #Windows98 on DALNet! | | ICQ: 31756092 | Libretto IRC channel #Libretto on DALNet! | \~/ ** http://libretto.basiclink.com - Libretto mailing list http://www.silverace.com/libretto/ - Archives ---TO UNSUBSCRIBE--- Reply to any of the list messages. The reply mail should be addressed to: [EMAIL PROTECTED] - Then replace any text on the message's subject line: cmd:unsubscribe TO UNSUBSCRIBE DIGEST-- Do above but with this on subject line: cmd:unsubscribe digest **
RE: [LIB] Klez/etc
Date: Tue, 30 Jul 2002 10:08:28 -0700 (PDT) From: Charles Hawtrey <[EMAIL PROTECTED]> Subject: RE: [LIB] Klez/etc > From: "Lines, Nick" <[EMAIL PROTECTED]> > > The point has been made many, many times, but the way viri like these > sods > now work is to not only send mail TO everyone in a contact list in > Outlook, > but also set the FROM address to be someone in the outlook address book. Unless I'm missing something, isn't the obvious solution "don't use Outlook"? Regardless of Outlook's intrinsic merits or demerits, it's by far the most popular target for viruses of any email program. So why not use something else? You know, "Doc, it hurts when I do this.." "Then don't do that!" __ Do You Yahoo!? Yahoo! Health - Feel better, live better http://health.yahoo.com ** http://libretto.basiclink.com - Libretto mailing list http://www.silverace.com/libretto/ - Archives ---TO UNSUBSCRIBE--- Reply to any of the list messages. The reply mail should be addressed to: [EMAIL PROTECTED] - Then replace any text on the message's subject line: cmd:unsubscribe TO UNSUBSCRIBE DIGEST-- Do above but with this on subject line: cmd:unsubscribe digest **
Re: [LIB] Klez/etc
Date: Tue, 30 Jul 2002 08:53:55 -0400 From: Pres Waterman <[EMAIL PROTECTED]> Subject: Re: [LIB] Klez/etc > BTW - At my end things are pretty well protected on Hotmail's McAfee scan of > all attachments. I also maintain no address book there. X ... I've not > received any infected email recently at my other online email accounts, nor > to the address for my ISP mailbox. I also use Eudora for my ISP mail, not > any flavors of Outlook. And since I just setup a new copy of Eudora > recently, I don't have any addresses for any list member in its address > book. Remember, you need not have any address book at all... the virus pretends it's YOU *if* YOUR address is in the infected person's book. Put another way, I am sure it's not me because my in/ and outgoing mail is scanned twice" in my machine, and in my proxy server. However, if someone anywhere in the world has my address ( or, in this case, my previous address not used since before Y2002 ) in their address book, and they get infected, it appears to be from me, although it's not. Thanks Pres Waterman W2PW c/o Patchogue Motors, Inc. Long Island Ford and Kia dealer GO BILLS! ©¿© ** http://libretto.basiclink.com - Libretto mailing list http://www.silverace.com/libretto/ - Archives ---TO UNSUBSCRIBE--- Reply to any of the list messages. The reply mail should be addressed to: [EMAIL PROTECTED] - Then replace any text on the message's subject line: cmd:unsubscribe TO UNSUBSCRIBE DIGEST-- Do above but with this on subject line: cmd:unsubscribe digest **
RE: [LIB] Klez/etc
Date: Tue, 30 Jul 2002 04:56:02 + From: "Matthew Hanson" <[EMAIL PROTECTED]> Subject: RE: [LIB] Klez/etc >From: "Lines, Nick" <[EMAIL PROTECTED]> > >The point has been made many, many times, but the way viri like these sods >now work is to not only send mail TO everyone in a contact list in >Outlook,but also set the FROM address to be someone in the outlook address >book. Does anyone know if Klez or Ninda keep posting day after day after day? I'm wondering if these non-list infected posts that are coming through mxout2.netvision.net.il are coming from one system, or a number of netvision users' systems. BTW - At my end things are pretty well protected on Hotmail's McAfee scan of all attachments. I also maintain no address book there. X ... I've not received any infected email recently at my other online email accounts, nor to the address for my ISP mailbox. I also use Eudora for my ISP mail, not any flavors of Outlook. And since I just setup a new copy of Eudora recently, I don't have any addresses for any list member in its address book. Matt _ Chat with friends online, try MSN Messenger: http://messenger.msn.com ** http://libretto.basiclink.com - Libretto mailing list http://www.silverace.com/libretto/ - Archives ---TO UNSUBSCRIBE--- Reply to any of the list messages. The reply mail should be addressed to: [EMAIL PROTECTED] - Then replace any text on the message's subject line: cmd:unsubscribe TO UNSUBSCRIBE DIGEST-- Do above but with this on subject line: cmd:unsubscribe digest **
RE: [LIB] Klez/etc
Date: Mon, 29 Jul 2002 08:16:20 + From: "neil barnes" <[EMAIL PROTECTED]> Subject: RE: [LIB] Klez/etc >Date: Mon, 29 Jul 2002 02:45:13 -0500 >From: "Lines, Nick" <[EMAIL PROTECTED]> >Subject: RE: [LIB] Klez/etc > >The point has been made many, many times, but the way viri like these sods >now work is to not only send mail TO everyone in a contact list in Outlook, >but also set the FROM address to be someone in the outlook address book. > >So please can we stop the witch-hunt? This list is, by and large, very >computer literate and knows the dangers of opening an attachment called >"seemygirlfriendshowernekkid.exe" from someone. > >All it takes is someone to think, "ah, Neil's a useful chap, I'll add him >to my contacts", get something nasty and then for everyone else to wait for >the fallout. It ain't pretty. As you say, Nick, it ain't pretty. But there are other issues, which is why I've taken up this here and the other (unrelated) problem with my ISP: o *Someone* on the group, in all likelihood, has the virus. It behooves us to try and draw their attention to it, so that they can do something about it. The difficulty we're having is that people don't seem to have enough info to trace the original sender. I can't trace because hotmail doesn't maintain the header info - perhaps Daniel can unpick the original round of postings? o I'm not convinced that *everyone* on this group is equally computer literate. For example, I'm much more of a hardware and low level type than others, who know pretty much all there is to know about (frex) the various Windows. People join the list for info - this is surely something about which they should be aware, no? o Finally, I want to make sure that *I* don't end up TOSsed as a spammer. The only way to do that is to chase down and document the spam that has my name on it. Agreed, that's more of a problem for my ISP and the easynet account than here, but equally, so many people know and use the nailed barnacle account that I don't want to lose that. It doesn't take many complaints from people who *aren't* aware of the various viruses to lose a service. So, I'd add my voice to Nick's: This is not, should not be, and if I have anything to do with it, will not become a witch hunt. However, I *do* think that we should try and locate where this virus came from, and disinfect it. This is not a question of blame, but of self preservation. If we take the attitude that 'oh, it's just a virus' then the scumbags have won. Not here. Cheers, Neil _ Chat with friends online, try MSN Messenger: http://messenger.msn.com ** http://libretto.basiclink.com - Libretto mailing list http://www.silverace.com/libretto/ - Archives ---TO UNSUBSCRIBE--- Reply to any of the list messages. The reply mail should be addressed to: [EMAIL PROTECTED] - Then replace any text on the message's subject line: cmd:unsubscribe TO UNSUBSCRIBE DIGEST-- Do above but with this on subject line: cmd:unsubscribe digest **
RE: [LIB] Klez/etc
Date: Mon, 29 Jul 2002 02:45:13 -0500 From: "Lines, Nick" <[EMAIL PROTECTED]> Subject: RE: [LIB] Klez/etc The point has been made many, many times, but the way viri like these sods now work is to not only send mail TO everyone in a contact list in Outlook, but also set the FROM address to be someone in the outlook address book. So please can we stop the witch-hunt? This list is, by and large, very computer literate and knows the dangers of opening an attachment called "seemygirlfriendshowernekkid.exe" from someone. All it takes is someone to think, "ah, Neil's a useful chap, I'll add him to my contacts", get something nasty and then for everyone else to wait for the fallout. It ain't pretty. Nick. ** http://libretto.basiclink.com - Libretto mailing list http://www.silverace.com/libretto/ - Archives ---TO UNSUBSCRIBE--- Reply to any of the list messages. The reply mail should be addressed to: [EMAIL PROTECTED] - Then replace any text on the message's subject line: cmd:unsubscribe TO UNSUBSCRIBE DIGEST-- Do above but with this on subject line: cmd:unsubscribe digest **
