[Meteor-Scatter] Klez worm infection

Giuliano Artico [email protected], [email protected]
Tue, 30 Apr 2002 19:40:59 met-1dst 

Dear friends,

in the last few weeks, I received several messages infected by the worm 
W32/Klez.H@mm (on this address and also on different mail boxes).

One of the messages received on this list has the subject
   "Worm Klez.E immunity"
and has an attachment named 353.PIF which is claimed to act as an 
immunity tool. Be careful before running it, since it looks to be a 
file infected by the same virus!

One more remark. All infected messages do *not* really come from the 
addresses appearing in their "From" field. Indeed the "Klez" worm, when 
is resident in the PC of some unaware people, is capable of simulating 
the transmission of messages from addresses which it can collect 
through various ways. The Symantec report about Klez says the following:

"...
   Because this worm does use a randomly chosen address that it finds
   on an infected computer as the "From:" address, numerous cases
   have been reported in which users of uninfected computers receive
   complaints that they have sent an infected message to someone
   else.
   For example, Linda Anderson is using a computer that is infected
   with W32.Klez.E@mm; Linda is not using a antivirus program or does
   not have current virus definitions. When W32.Klez.E@mm performs
   its emailing routine, it finds the email address of Harold Logan.
   It inserts Harold's email address into the "From:" line of an
   infected email that it then sends to Janet Bishop. Janet then
   contacts Harold and complains that he sent her infected email,
   but when Harold scans his computer, Norton AntiVirus does not
   find       anything--as would be expected--because his computer
   is not       infected.
   If you are using a current version of Norton AntiVirus, have the
   most recent virus definitions, and a full system scan with Norton
   AntiVirus set to scan all files does not find anything, you can
   be confident that your computer is not infected with this worm.
..."

Finally: may be someone of you received an infected message apparently 
coming from my address. Be sure that my PC *cannot* be infected by Klez 
because I perform E-mail traffic on a DOS-based system in which Windows 
is not installed.

Thank you for your time.

Best 73 and good DX!
Giuliano I3LGP
 
   Best 73 de Giuliano, I3LGP, JN55wj

---------------------------------------------------------------
Giuliano Artico, Via Belzoni 7, I-35131 Padova, Italy
QRL : (+39) 049 8275909   [email protected]
Home: (+39) 049 8757130    [email protected]
FAX : (+39) 049 8758596   WWW: http://www.math.unipd.it/~artico