Klez...grrrrrrr!

I've read as much as I can about this darn virus and know what it does, but I need some help here on something because I'm still a little .

I have been getting the klez virus in my mail for several months now and the return path always lists from one name in my address book. Any time he sends me regular mail, here comes the klez one in another one. It's always the same of 4 different subject titles. Of course, my Norton is catching them, but isn't this telling me that the other person has it and it keeps jumping out with his mail? I've been trying to work with him on getting rid of it, but to no avail, as of yet. He says he has Norton and he runs it weekly, but has never been told by it that he has the virus. Could it be sneaking past Norton? I've told him to run the fixit tool but don't know if he's done that yet, let alone if it will work. I know there are at least 2 versions of the klez out there. I think what I need is some expert advice on how we can get rid of this BRAT!

Thanks for any and all help.

 

Panda,

The address that the email is coming from is not necessarily (and usually isn't ) correct. Klez selects two addresses from the address book of the infected person. It uses one as the 'TO' and one as the 'FROM'. All this means is that the person who is infected has both you and your friend in their address book.

The only way to truly determine who it is from is to look at the header information in the email. This may not exclusively identify a specific person but it will at least identify the domain that the email came from. Once you know the domain, you can let everyone in your address book that has that domain know that they may be infected.

Hope this helps.

 

Duh! Right. I remember reading that somewhere. It can be tricky finding out exactly where it comes from.

Here is the header. Maybe you can help me figure out where it's coming from:

Return-Path: <his-address>
Received: from cm1.crystalmediatech.com ([207.158.138.66] verified)
by front3.chartermi.net (CommuniGate Pro SMTP 3.5.9a)
with ESMTP id 65372978 for (my-address); Tue, 17 Dec 2002 01:01:03 -0500
Received: from Fvoaijwth (V8V9R8 [207.158.138.36]) by cm1.crystalmediatech.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13)
id YR9SPA7F; Tue, 17 Dec 2002 01:00:11 -0500
From: badguy <badguy@attglobal.net>
To: (my-address)
Subject: Have a new Christmas
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=A7D366rS22g1S3
Date: Tue, 17 Dec 2002 01:01:05 -0500
Message-ID: <auto-000065372978@front3.chartermi.net>

And, this is the other one that came in today:

Return-Path: <his-address>
Received: from cm1.crystalmediatech.com ([207.158.138.66] verified)
by front3.chartermi.net (CommuniGate Pro SMTP 3.5.9a)
with ESMTP id 65372510 for (my-address); Tue, 17 Dec 2002 01:00:29 -0500
Received: from Zdaeagcc (V8V9R8 [207.158.138.36]) by cm1.crystalmediatech.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13)
id YR9SPA7C; Tue, 17 Dec 2002 00:59:45 -0500
From: jimwest <jimwest@shelbynet.net>
To: (my-address)
Subject: Have a excite Christmas
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=QA951S4m1PoswSrFy588y12U71uV
Date: Tue, 17 Dec 2002 01:00:29 -0500
Message-ID: <auto-000065372510@front3.chartermi.net>

I guess I could look up the domain #s and then send the postmaster a letter complaining?

I'm just trying to clear this up and any help would appreciated. Thanks.

 

Panda,

Both emails came from the same domain, "Allegiance Telecom Companies Worldwide ". Unfortunately, this is the same domain as the receiver. You can tell this because the first 3 nodes of the IP addresses are the same. You can check this by going here:

http://www.arin.net/whois/index.html

What this means is that someone who has the same domain as your friend, has both of you in their address book. Until everyone runs a virus scan/clean, your friend will continue to get the infected emails.

Unfortunately, sending an email to the postmaster won't accomplish much. You're better off trying to contact the infected friend yourself. I had to deal with the exact situation and, although it took a couple of days, I was able to figure out who was infected. I just sent an email to each of my friends that were on the same domain that the emails were coming from and had them run a virus scan. The friend that was infected called me and asked "Do I have a virus scanner on my machine?" They had turned it off because they didn't know exactly what it was and a "friend" told them their machine would run faster if they turned off all the stuff in the tray. Big Help!!

Hope this helps and good luck!

 

His friend told them to turn everything off in their task bar so things would run faster(which it does, I know)?????? UNREAL! I guess the 'friend' didn't know jack chit, did he? Poor guy.

I see what you mean. I'm not sure how puter saavy he is, but will try to explain it all to him and maybe he can track it down. Like I mentioned before, this little bugger is really tricky.

I have that whois site bookmarked myself. I got it when I first got my cable modem and it was suggested to me when my firewall (a new dealing for me!) kept asking for permission for stuff I didn't recognize. LOL.

Was just thinking how interesting it is the way they snake around. So, you are saying that someone in 'his' address book could have the virus and 'he' keeps resending it which means it's coming to me too? In other words, even though we both have virus scanners and they are stopping it from infecting us, it's still riding around looking for trouble? I wonder how far back we have to go to find this pest.

Thanks for the tips and help.

 

Since both you and your friend have run virus scans and neither of you are infected, you are both OK. What it means is that a third person is infected and has both you and your friend in their address book. Until this person cleans there machine, you'll continue to get the virus.

Just as a side note, the longer someone is infected with Klez, the more likely that you won't be able to recover. My friend was soooo infected that just about every .exe on their machine was infected. And since you can't clean Klez, only remove it, we had to fdisk and start over.

As for removing the virus, you can follow the instructions on this page:

http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.removal.tool.html

There are links for the removal tools on this page as well.

 

Thanks, again, for all your help. I sent this link to my friend so he could see what all we chatted about and I told him to get back to me after he reads it and tell me what he thinks and what he's going to do. I'll try to come back with any results, good or bad.

Thanks again so much!

 

Sorry it took so long to get back here. Been playing with my new computer and time just slipped away.

My friend had another friend come over to his place and they downloaded the klez repair kit and did a total cleanup and it looks like they nipped it in the bud. I got a letter from and no klez trail. Thanks for all the help and tips. He thanks you all, too.