About virus W32.Klez.E



ANB-BIA - Av. Charles Woeste 184 - 1090 Bruxelles - Belg
TEL **.32.2/420 34 36 fax /420 05 49 E-Mail: editor at anb-bia.org
_____________________________________________________________
WEEKLY NEWS - SPECIAL ISSUE of: 21-08-2002  - About virus W32.Klez.E  

(see English version below)

A tous les inscrits de la liste “ANB-BIA WEEKLY NEWS”
Ces derniers jours, nous avons reçu plusieurs messages provenant d’abbonnés à la liste d’envoi  <anb-bia weekly news>. Ces lecteurs nous informent avoir reçu de nous des messages infectés par le virus W32.Klez.E. Ce virus serait contenu dans un fichier annexé (par ex.: A humour game). Si l’on se rapporte aux en-têtes de ces e-mail, les messages auraient été envoyés entre le 17 et le 20 août 2002. - Or, ce message que vous êtes en train de lire, est le premier que nous envoyons depuis le 14 août! Donc les messages infectés ne pouvaient pas venir de chez nous…

Ce matin, j’ai fait inspecter les machines par TREND-MICRO (un scanner antivirus on line que vous pouvez trouver à cette adresse: http://housecall.antivirus.com): tout semble être en ordre. - Une recherche dans le site de Symantec (Norton Antivirus) nous informait que ce virus (actif depuis janvier et réactivé après le 23 juillet) copie, dans un ordinateur infecté, les adresses e-mail et les utilise comme expéditeur.

Ci-dessous, je mets en français un petit résumé de l’exemple donné  par  Symantec et que je transcris plus bas en anglais.

Par exemple, l’ordinateur de Linda Anderson est infecté par le virus W32.Klez.E. Linda n’utilise pas d’antivirus ou bien son antivirus n’est pas à jour. Quand il est activé, W32.Klez.E trouve l’adresse e-mail de Harold Logan et l’insère dans la ligne «From:» d’un e-mail infecté qu’il envoie à Janet Bishop. Evidemment Janet Bishop signale à Harold qu’elle a reçu de lui un message infecté… Harold contrôle son ordinateur avec un antivirus à jour et ne trouve aucun virus, comme il fallait s’y attendre… car son ordinateur n’est pas infecté…

Malheureusement je suis incapable de dire qui envoie ces messages infectés et je déplore vivement qu’on puisse ainsi utiliser nos adresses e-mail.
Je vous prie d’excuser tous les dérangements que cela provoque, mais nous n’y sommes pour rien.

Un petit conseil. Si vous doutez d’un message, ne l’ouvrez pas! Plutôt, écrivez-nous pour demander une confirmation ou une autre copie du message.
Bien à vous,  avec toutes nos excuses.
Paolo Costantini
Anb-Bia Bruxelles - 21 août 2003
----------------------------------------------

(English version)

To all subscribers to ANB-BIA's WEEKLY NEWS
Recently we have received several messages from subscribers on our mailing list <anb-bia weekly news>. These subscribers informed us that we have sent them messages infected by the W32.Klez.E. virus. This virus is found in an attachment (e.g. In a humorous game, or setup.exe).

From the headings of these messages, it seems they were sent between 17th and 20th August 2002. However, you should note that this present message is the first we have sent since 14th August. Therefore, the infected messages cannot originate from our computers.

This morning, I checked our machines with TREND-MICRO (an anti-virus on-line which you can find at this address: http//housecall.antivirus.com.) All seems to be clean! Research made at the Symantec site (Norton Antivirus) informs us that this virus (active since January, and reactivated after 23rd July), copies the e-mail addresses in an infected computer, and uses them as a dispatcher. (See below notice from Symantec).

Unfortunately, we have no means of knowing who sends these infected messages and we are extremely concerned that somebody is using our e-mail address in this way. Please accept our apologies for what has occurred, but you will appreciate that in know way can we be held responsible.

Just a word of advice -- if you have any doubts about a message, don't open it. Rather, write to us asking for confirmation of the message, or to send another copy of the message.

Yours sincerely,

Paolo Costantini
Director. Anb-Bia, Brussels. 21st August 2002

-------------------------------------------------------


INFORMATIONS  TROUVEES CHEZ SYMANTEC NORTON ANTIVIRUS
INFORMATION FOUND TO SYMANTEC NORTON ANTIVIRUS

ABOUT   <W32.Klez.E@mm >
Discovered on: January 17, 2002
Last Updated on: July 23, 2002 07:56:18 AM PDT

The worm copies itself to local, mapped, and network drives as:
A random file name with a double extension. For example, filename.txt.exe.
A .rar archive with a double extension. For example, filename.txt.rar.

In addition, the worm searches the Windows address book, the ICQ database, and local files (such as .html and text files) for email addresses. The worm sends an email message to these addresses with itself as an attachment. The worm contains its own SMTP engine and attempts to guess at available SMTP servers.

The subject line, message bodies, and attachment file names are random. The from address is randomly chosen from email addresses that the worm finds on the infected computer.

NOTES:
Because this worm does use a randomly chosen address that it finds on an infected computer as the "From:" address, numerous cases have been reported in which users of uninfected computers receive complaints that they have sent an infected message to someone else.
For example, Linda Anderson is using a computer that is infected with W32.Klez.E@mm; Linda is not using a antivirus program or does not have current virus definitions. When W32.Klez.E@mm performs its emailing routine, it finds the email address of Harold Logan. It inserts Harold's email address into the "From:" line of an infected email that it then sends to Janet Bishop. Janet then contacts Harold and complains that he sent her infected email, but when Harold scans his computer, Norton AntiVirus does not find anything--as would be expected--because his computer is not infected.

There have been several reports that, in some cases, if you receive a message that the virus has sent using its own SMTP engine, the message appears to be a "postmaster bounce message" from your own domain. For example, if your email address is jsmith at anyplace.com, you could receive a message that appears to be from postmaster at anyplace.com, indicating that you attempted to send email and the attempt failed. If this is the false message that is sent by the virus, the attachment includes the virus itself. Of course, such attachments should not be opened.
(From: http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.e at mm.html)