Where's my virus?

Yesterday, I got an email from a friend which turned out to be a bogus message, a badly written ad (text only) for a defense against the Klez E virus if you clicked on a link (which I didn't). Sure enough, the friend phoned later to say he had the virus and it sent out emails to everyone in his address book. When I ran a scan with my a-v program (AVG), it found four files infected--not by Klez E, but by a trojan horse called MusicSearch. I did an on-line scan which also found no virus, Klez E or otherwise.

Two questions:

1) If I got an email generated by the virus, why didn't I get the virus? Did I have to click on the link to get it?

2) I've searched high and low for information on MusicSearch trojan horse, but can't find any, other than a website with that name. Has anyone here heard of it?

Thanks.

 

Either the infected attachment was stripped away by a mail server prior to reaching you or Klez (as is sometimes the case) did not append itself to the mails which it caused to be sent out.

I have never heard of Trojan you mention and the only references to it which I can find are from AVG users! Maybe AVG is returning a false-positive. Download and run Tauscan and see whether anything untoward is detected.

 

Hi Brett. I scanned with Tauscan and it found nothing. It was quite an evening last night. First I thought I had a nasty virus, then I thought I'd had a trojan. Turned out I had neither.

Thanks for your reply and suggestion, and i have another question if you don't mind. I assume that I wouldn't get the virus by just opening the email. I would have had to click on the link, in my case, or open an attachment before the virus could open in my computer. Is that right?

 

Thats not entirely accurate. Dont know what email program your using, but if the mail is an .exe file it can infect. If using OE, the preview pane as if you are opening the mail, so you can get it without "opening ". If in doubt, delete it. Mailwasher is a great program because you can preview/look without it ever getting to your computer.

 

TomJ - very likely that ad for Klez protection was the one that has been floating around for a few months now. It is infected and is being used as a way to spread Klez to folks w/o AV protection.

I've gotten them with their virus payload and some without. I have to assume the "without" ones got cleaned at some point along the line but not deleted.

Matter of fact, I got two or three yesterday after not seeing any for nearly a month.

 

Aleecat, I've got Outlook Express 5. It turns out i've been using the preview pane and didn't know it. I guess I wasn't actually opening the emails, just previewing them (maybe that's why I didn't get a virus warning). Also, I'm no expert by any stretch, but I did'nt think an email message could be sent as an .exe file. I can't get my thick head around that. Also #2: I've had Mail Washer for a while now to bounce spam, but not for previewing. Now that I've gotten virus-bearing mail, I will check out the preview option.

Newt,

"I got two or three yesterday after not seeing any for nearly a month. "

You must be in my friend's address book.

I'm surprised that some mail servers will clean virulent emails. It kinda restores my faith in humanity...sort of.

Thanks for replying, everyone. Hope you all had a great Thanksgiving.

 

Re: I've got Outlook Express 5.

Sorry for budding in!!

The worm exploits a vulnerability in Microsoft Outlook and Outlook Express in an attempt to execute itself when you open or even preview the message in which it is contained.

W32.Klez.E@mm is similar to W32.Klez.A@mm. It is a mass-mailing email worm that also attempts to copy itself to network shares. The worm uses random subject lines, message bodies, and attachment file names

The worm overwrites files and creates hidden copies of the originals. In addition, the worm drops the virus W32.Elkern.3587, which is similar to W32.ElKern.3326.

Removal tool:
Symantec has provided a tool to remove infections of all known variants of W32.Klez and W32.ElKern. Click here
http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.removal.tool.html ;then scrool down to: To obtain and run the tool:

The person sending you the Virus better clean his/her computer or you'll continue receiving it!!

Good Luck!

 

Hi Swedane,

Thank you for the info. Yes, my friend went to Symantec site as soon as he knew he had Klez and wiped it off his system. He then went out and bought an a-v program cause he didn't have one, which I was really surprised to learn since this is the third virus he's picked up.

One thing I noticed about the virus-generated email was the difference in the "From" column in the inbox. Normally, the inbox would say "From John Smith" (example), but in this case, the virus used the name from the address: "From jsmith ".