[MUD-Dev] ADMIN: Virii and mail forgeries

J C Lawrence claw at kanga.nu
Wed May 22 01:21:49 CEST 2002 

Writing as list owner:

  A while back I posted to the Noted list about a new form of the KLEZ
  virus.  

    http://www.kanga.nu/archives/Noted-L/2002Q2/msg00008.php

  Its a Microsoft Outlook beast with one particularly unusual behaviour
  in that not only does it email copies of it self out to the contents
  of the address book, but it randomly forges the From: header of those
  messages to random addresses from the address book while doing so.
  The result is that people get virus email seemingly from addresses
  that were never actually involved in with that message.

  MUD-Dev is currently receiving between 20 and 30 such virus messages
  per day, with a current highest rate of just over 70 in one day.  A
  number of people have mentioned that they are receiving virus emails
  with From: lines of "claw at kanga.nu", "mud-dev at kanga.nu", or
  "mud-dev-admin at kanga.nu" etc.  I'm also getting a number of confused
  questions along the line of, "Why did you send me this?  What is it?"

  Simple answer: They're not from me.  I didn't send them.  I also can't
  stop them being sent to you as they are not coming or passing thru
  from any system I control.  

  Klex has a secondary interesting behaviour in that it also appears to
  have semi-random sleep cycles.  An infected machine will emit a burst
  of virus mesasges and then lie dormant for a while (days), before
  sending new messages to random addresses with randomly forged From:
  lines.

  If you use or run Microsoft Outlook (any version) please inspect your
  system for KLEZ and remove it if found.  I'm getting a little tired of
  it.  Today's moderation queue has at least 30+ copies and I've not
  even gotten half way through it.  I'll let you imagine how much I like
  doing this at 01:20 in the morning.

  Some relevant links for those interested:

    http://www.infosecuritymag.com/2002/may/digest06.shtml
    http://www.uniras.gov.uk/l1/l2/l3/alerts2001/UNIRAS%20Alert%20-1901%20-%20UNIRAS%20-%20Malicious%20software%20report%20W32KLEZ.txt
    http://antivirus.about.com/library/weekly/aa042502a.htm
    http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci821739,00.html
    http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.e@mm.html
    http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_KLEZ.H
    http://news.com.com/2100-1001-916945.html?tag=fd_top
    http://news.com.com/2100-1001-887330.html
    http://vil.nai.com/vil/content/v_99367.htm
    http://www.wired.com/news/technology/0,1282,52174,00.html
        
  The above URLs are selected in any particular order or due to any
  specific quality other than the fact that they matched Google
  searches.  Those particularly interested may like to read the Bugtraq
  threads on it.

  Thanks, and please clean your systems.  

--
J C Lawrence                
---------(*)                Satan, oscillate my metallic sonatas. 
claw at kanga.nu               He lived as a devil, eh?		  
http://www.kanga.nu/~claw/  Evil is a name of a foeman, as I live.
_______________________________________________
MUD-Dev mailing list
MUD-Dev at kanga.nu
https://www.kanga.nu/lists/listinfo/mud-dev

More information about the mud-dev-archive mailing list