Klez Virus: Don't Believe 'From' Line

[Guest guest]

: <http://www.wired.com/news/technology/0,1282,52174,00.html>

:

: Klez: Don't Believe 'From' Line

: By Delio

:

: 2:00 a.m. April 30, 2002 PDT

: Some Internet users have recently received an e-mail message from a dead

: friend. Others have been subscribed to obscure mailing lists. Some have

: lost their Internet access after being accused of spamming, and still

: others have received e-mailed pornography from a priest.

:

: They're actually experiencing some of the stranger side effects of the

Klez

: computer virus.

:

: These ersatz e-mails containing the virus are creating Klez-provoked

: arguments and accusations that are now spreading as fast as the worm

itself.

:

: The latest variant of the Klez virus started spreading 10 days ago. The

: virus e-mails itself from infected machines using a bogus " From " address

: randomly plucked from all e-mail addresses stored on an infected

computer's

: hard drive or network.

:

: Recipients of the virus-laden e-mails, not understanding that the " From "

: information is virtually always phony -- or even that they have received a

: virus -- have been clogging networks with angry and confused e-mails that

: are causing a great deal of cyber-havoc.

:

: People signing up for newsletters and mailing lists that they never

: subscribed to has been a major source of frustration for both users and

the

: list owners.

:

: If Klez happens to send an e-mail " from " a user to an e-mail list's

: automatic subscribe address, the list software assumes the e-mail is a

: valid subscription request and begins sending mail to the user.

:

: A mailing list for fans of the Grammy Award-winning Steely Dan band has

: posted an explanation directed to those who were subscribed to the list by

: the virus.

:

: " We are not infected with the Klez virus. We don't know if you are

infected

: with the Klez virus. You may be. But even if you are not, someone out

there

: who is infected has both your address and our address on their computer

....

: and therein lies the problem, " the explanation reads, in part.

:

: Even when users understand the source of newsletter-generated e-mails, the

: amount of mail some lists generate is causing problems.

:

: " Last week I suddenly started getting hundreds of e-mails, daily, with

: information about raising tropical fish, purchasing cosmetics and staying

: in youth hostels, " Victor Montez, a sales rep for a publishing firm, said.

: " I do not keep fish, wear makeup or travel rough. "

:

: Montez now understands the e-mails came from Klez-subscribed news lists.

: But he said that since his free e-mail account only stores a certain

amount

: of messages, he's lost access to the account twice this week. He believes

: he's also lost a significant amount of business-related e-mails.

:

: " If this keeps up, I may end up having to stay in hostels and I'll have

: plenty of free time to devote to raising fish, " he said.

:

: In some cases, it almost seems as if Klez is specifically targeting

: particularly vulnerable e-mail addresses onto which it can piggyback.

:

: E-mails containing an invitation to view what purports to be an attachment

: with pornographic images appears at first glance to have been sent out by

: Catholic parishes in New York and land. The attachment actually

: contains the Klez virus, and tracing information indicates the e-mails

were

: actually sent from an Internet service located in the United Arab

Emirates.

:

: " While we would obviously never choose to have our churches' names

: affiliated with such material, this is a particularly difficult time to

: have e-mail with obscene references -- which appear to have been sent by

: church staff -- circulating, " an archdiocese spokeswoman said, referring

to

: the worldwide sex abuse scandal.

:

: Other newsletter owners are also suffering. Some say their Internet

service

: providers have accused them of spamming non-members. Many ISPs cut service

: when they receive a certain amount of spam complaints.

:

: " I was reported to my ISP over a dozen times this week for spamming, " said

: Carlone, the manager of an e- mail newsletter for classic car

: enthusiasts. " My ISP threatened to pull my account after the third

: complaint and we went down shortly afterwards. It took four days to sort

: the problem out. "

:

: Fiber, maintainer of a Jewish folk music mailing list, said that

the

: list has been inundated with messages about widely off-topic subjects, so

: much so that Fiber wondered if most of his members had suddenly gone

: " meshuga (a little crazy). "

:

: But then Fiber began getting the complaints.

:

: " All of a sudden we had e-mails coming in from around the world, with

: people yelling we had sent them Klez, " Fiber said. " The thing is that

: 'Klezmer' is a type of traditional folk music which we often discuss on

the

: list and sometimes refer to as Klez. So I thought people were protesting

: about our folk music. It was very confusing for a while. "

:

: Some users have even reported receiving spooky e-mails from deceased

friends.

:

: " I belonged to a tattoo artists' list that closed down a few years ago.

: Last week, I began getting e-mails from the list. Even weirder, I got

eight

: e-mails with subject lines that read 'SOS' and 'Eager to See You' from a

: list member who died last year. It totally creeped me out, " said " Bear "

: Montego.

:

: Klez e-mails' subject lines are randomly chosen from a pre-programmed list

: of about 120 possibilities, including " Let's be friends, " " Japanese lass'

: sexy pictures, " " Meeting Notice, " " Hi Honey " and " SOS. " Klez also sends

: fake " returned " or " undeliverable " e-mails, advising the supposed sender

: that their original, refused e-mail is contained in the attachment.

: Clicking on the attachment triggers the virus. The virus can launch

: automatically when users click to preview or read e-mails bearing Klez on

: systems that have not been patched for a year-old vulnerability in

Internet

: Explorer, Outlook and Outlook Express. Klez only affects PCs running

: Microsoft's Windows operating system.

:

: As of Monday afternoon, Klez's spread seems to have slowed, but antiviral

: experts warn that the worm will be around for a while.

:

: " Anytime you have a virus that is not easily identifiable visually, it

: tends to linger, " Rod Fewster, Australian representative for antiviral

: application NOD32, said. " SirCam and Klez both vary the subject lines of

: the e-mails they send, which makes it hard for the average user to spot. "

: