Worm Klez.E immunity

Gerald Combs gerald at ethereal.com
Fri Oct 11 21:26:03 CDT 2002


On Fri, 11 Oct 2002, Kurt Kessler wrote:

> Funny that someone from Microsoft would post to a
> Linux users group. That and you would expect someone
> working for Microsoft to have a background in the
> English language. Oh, and what does Klez have to do
> with Linux anyway? :p 

The mail almost certainly did not come from someone at Microsoft.  It
appears to be Klez.H; see 

    http://www.f-secure.com/v-descs/klez_h.shtml

and

    http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.h@mm.html

for more details.  It sends itself to everyone in the address book
on an infected machine, faking the From: address.  This particular
message apparently came from someone at synergy-networks.com who had
"mswsgulf at microsoft.com" in their address book:

    [207.227.243.140]) by pow.zing.org (Postfix) with ESMTP id 71BAD54AD0 for
    <gerald at zing.org>; Fri, 11 Oct 2002 19:58:41 -0500 (CDT)
    marauder.illiana.net (8.12.6/8.12.6) with ESMTP id g9BJkXHn012173 for
    <kclug-list at marauder.illiana.net>; Fri, 11 Oct 2002 14:46:33 -0500
    (8.12.6/8.12.1/Submit) id g9BJkXgx012171 for kclug-list; Fri,
    11 Oct 2002 14:46:33 -0500
X-Authentication-Warning: marauder.illiana.net: majordom set sender to
    owner-kclug at marauder.illiana.net using -f
    [63.75.167.9]) by marauder.illiana.net (8.12.6/8.12.6) with ESMTP id
    g9BJkWHn012167 for <kclug at kclug.org>; Fri, 11 Oct 2002 14:46:33 -0500
Message-Id: <200210111946.g9BJkWHn012167 at marauder.illiana.net>
    ([63.75.167.9]) with SMTP (MDaemon.PRO.v6.0.7.R) for <kclug at kclug.org>;
    Fri, 11 Oct 2002 20:50:44 -0400

> --- mswsgulf <mswsgulf at microsoft.com> wrote:
> >Klez.E is the most common world-wide spreading
> worm.It's very dangerous by corrupting your files.
> Because of its very smart stealth and anti-anti-virus
> technic,most common AV software can't detect or clean
> it.
> We developed this free immunity tool to defeat the
> malicious virus.
> You only need to run this tool once,and then Klez will
> never come into your PC.
> NOTE: Because this tool acts as a fake Klez to fool
> the real worm,some AV monitor maybe cry when you run
> it.
> If so,Ignore the warning,and select 'continue'.
> If you have any question,please mail to me.
> 
> 
> __________________________________________________
> Do you Yahoo!?
> Faith Hill - Exclusive Performances, Videos & More
> http://faith.yahoo.com
> 
> 
> 




More information about the Kclug mailing list