Zone38 Presents...
Letters to the World

25-Aug-2002

Klez-ified information

Filed under: General — codeman38 @ 11:17 am

I really hate the Klez virus.

Now, before you start nagging at me about how I should never have opened an attachment from an unknown source, blah blah blah, I’ll explain that I’m writing this as a completely innocent third party who just happened to be in several people’s address books.

If you’re still confused, you probably haven’t heard about how Klez works yet, so you can either head over to Symantec’s description or just let me explain the basics:

In short, an infected computer will send copies of the virus to random addresses culled from the computer’s files, as one might expect. In addition, however, the “From” address on the infected e-mail will also be forged, again chosen randomly from the computer’s files. In other words, the apparent “sender” of the message is actually a third party whose address just happened to be stored somewhere on the real sender’s computer.

And not only that, the virus takes advantage of vulnerabilities in earlier versions of Outlook Express and Internet Explorer which allow an attachment to be executed just by viewing a message. In many cases, a user doesn’t even have to open the attachment to get infected! (Shades of Good Times, anyone?)

Thus, not only have I gotten copies of the Klez virus claiming to be from fellow students who aren’t actually infected, but other students have also asked me what those weird attachments were that I had apparently sent. Of course, I’ve explained the situation quite clearly to them in as little geekspeak as I could (funny that a user of Mozilla and Pine becomes the scapegoat!), and that’s generally cleared the situation up. And by tracking the headers, I’ve managed to point out to the real carriers of the virus that they’ve been infected (ah, gotta love those X-Apparently-From headers, heh), though not all have gotten around to fixing it yet.

But it gets worse. Y’know how, when a mail server can’t deliver a message to the intended recipient, it will return the message to the original sender with a note about the failed delivery? Yep, that’s right. Sometimes a Klez attack will send mail to a non-existent address– and because the mail in question claims that I’m the sender, I get bounced copies of Klez-infected messages that I never sent, with the infected attachment still present.

I hate the Klez virus.

(Oh, and amusingly, while doing some additional research for this posting, I stumbled across a Linux development mailing list that apparently had a repeated Klez attack. Talk about picking the wrong scapegoat entirely…)

No Comments »

No comments yet.

RSS feed for comments on this post.

Leave a comment

You can use these HTML tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

© 2001-2018 codeman38. Powered by WordPress.