Go to the FreeLists Home Page Home Signup Help Login 		 



[cybercrime-alerts] || [Date Prev] [05-2002 Date Index] [Date Next] || [Thread Prev] [05-2002 Thread Index] [Thread Next]

Klez: Don't Believe 'From' Line

  • From: alerts@xxxxxxxxxxx
  • To: cybercrime-alerts@xxxxxxxxxxxxx
  • Date: Wed, 15 May 2002 01:10:41 -0400


 Klez: Don't Believe 'From' Line
By Michelle Delio
2:00 a.m. April 30, 2002 PDT

Some Internet users have recently received an e-mail message from a dead 
friend. Others have been subscribed to obscure mailing lists. Some have lost 
their Internet access after being accused of spamming, and still others have 
received e-mailed pornography from a priest.

They're actually experiencing some of the stranger side effects of the Klez 
computer virus.

These ersatz e-mails containing the virus are creating Klez-provoked arguments 
and accusations that are now spreading as fast as the worm itself.

The latest variant of the Klez virus started spreading 10 days ago. The virus 
e-mails itself from infected machines using a bogus "From" address randomly 
plucked from all e-mail addresses stored on an infected computer's hard drive 
or network.

Recipients of the virus-laden e-mails, not understanding that the "From" 
information is virtually always phony -- or even that they have received a 
virus -- have been clogging networks with angry and confused e-mails that are 
causing a great deal of cyber-havoc.

People signing up for newsletters and mailing lists that they never subscribed 
to has been a major source of frustration for both users and the list owners.

If Klez happens to send an e-mail "from" a user to an e-mail list's automatic 
subscribe address, the list software assumes the e-mail is a valid subscription 
request and begins sending mail to the user.

A mailing list for fans of the Grammy Award-winning Steely Dan band has posted 
an explanation directed to those who were subscribed to the list by the virus.

"We are not infected with the Klez virus. We don't know if you are infected 
with the Klez virus. You may be. But even if you are not, someone out there who 
is infected has both your address and our address on their computer ... and 
therein lies the problem," the explanation reads, in part.

Even when users understand the source of newsletter-generated e-mails, the 
amount of mail some lists generate is causing problems.

"Last week I suddenly started getting hundreds of e-mails, daily, with 
information about raising tropical fish, purchasing cosmetics and staying in 
youth hostels," Victor Montez, a sales rep for a publishing firm, said. "I do 
not keep fish, wear makeup or travel rough."

Montez now understands the e-mails came from Klez-subscribed news lists. But he 
said that since his free e-mail account only stores a certain amount of 
messages, he's lost access to the account twice this week. He believes he's 
also lost a significant amount of business-related e-mails.

"If this keeps up, I may end up having to stay in hostels and I'll have plenty 
of free time to devote to raising fish," he said.

In some cases, it almost seems as if Klez is specifically targeting 
particularly vulnerable e-mail addresses onto which it can piggyback.

E-mails containing an invitation to view what purports to be an attachment with 
pornographic images appears at first glance to have been sent out by Catholic 
parishes in New York and Maryland. The attachment actually contains the Klez 
virus, and tracing information indicates the e-mails were actually sent from an 
Internet service located in the United Arab Emirates.

"While we would obviously never choose to have our churches' names affiliated 
with such material, this is a particularly difficult time to have e-mail with 
obscene references -- which appear to have been sent by church staff -- 
circulating," an archdiocese spokeswoman said, referring to the worldwide sex 
abuse scandal.

Other newsletter owners are also suffering. Some say their Internet service 
providers have accused them of spamming non-members. Many ISPs cut service when 
they receive a certain amount of spam complaints.

"I was reported to my ISP over a dozen times this week for spamming," said 
Keith Carlone, the manager of an e-mail newsletter for classic car enthusiasts. 
"My ISP threatened to pull my account after the third complaint and we went 
down shortly afterwards. It took four days to sort the problem out."

Andrew Fiber, maintainer of a Jewish folk music mailing list, said that the 
list has been inundated with messages about widely off-topic subjects, so much 
so that Fiber wondered if most of his members had suddenly gone "meshuga (a 
little crazy)."

But then Fiber began getting the complaints.

"All of a sudden we had e-mails coming in from around the world, with people 
yelling we had sent them Klez," Fiber said. "The thing is that 'Klezmer' is a 
type of traditional folk music which we often discuss on the list and sometimes 
refer to as Klez. So I thought people were protesting about our folk music. It 
was very confusing for a while."

Some users have even reported receiving spooky e-mails from deceased friends.

"I belonged to a tattoo artists' list that closed down a few years ago. Last 
week, I began getting e-mails from the list. Even weirder, I got eight e-mails 
with subject lines that read 'SOS' and 'Eager to See You' from a list member 
who died last year. It totally creeped me out," said "Bear" Montego.


Klez e-mails' subject lines are randomly chosen from a pre-programmed list of 
about 120 possibilities, including "Let's be friends," "Japanese lass' sexy 
pictures," "Meeting Notice," "Hi Honey" and "SOS."


Klez also sends fake "returned" or "undeliverable" e-mails, advising the 
supposed sender that their original, refused e-mail is contained in the 
attachment. Clicking on the attachment triggers the virus.


The virus can launch automatically when users click to preview or read e-mails 
bearing Klez on systems that have not been patched for a year-old vulnerability 
in Internet Explorer, Outlook and Outlook Express. Klez only affects PCs 
running Microsoft's Windows operating system.

As of Monday afternoon, Klez's spread seems to have slowed, but antiviral 
experts warn that the worm will be around for a while.

"Anytime you have a virus that is not easily identifiable visually, it tends to 
linger," Rod Fewster, Australian representative for antiviral application 
NOD32, said. "SirCam and Klez both vary the subject lines of the e-mails they 
send, which makes it hard for the average user to spot."


--
This was sent to you from http://theMezz.com
To Subscribe/Unsubscribe go to http://techPolice.com

* Our Monthly Tech NewsLetter is at http://theMezzenger.com *




[ Home | Signup | Help | Login | Archives | Lists ]

All trademarks and copyrights within the FreeLists archives are owned by their respective owners.
Everything else ©2008 Avenir Technologies, LLC.