Virus

[Leon Roskilly]

Hi Newt,

 

I'm running AOL, which (using my current settings) doesn't automatically download attachments with the email.

 

Since the virus is the attachment, Norton never gets to see it, unless I choose to download it and do a virus scan once it's downloaded to my machine (or open it). I'm usually not that stupid, though (despite my warnings about opening attachments with a double suffix - JPG.SCR!) Brenda once downloaded an infected attachment and Norton pounced the moment she tried to open it!

 

AOL not using Outlook, helps to avoid a lot of viruses too.

 

(Of course there's a downside to using AOL. The latest version (7.0) doesn't allow you to turn HTML off, so a virus can arrive in the body of the email as well. Fortunately my Zonelabs firewall has stopped such blighters in the past from communicating back to base to download the virus proper.)

 

I recieved another of these things, just this am:

 

--------------------------------------

Subj: Visibility

Date: 6/3/02 8:21:14 am GMT Daylight Time

From: pahlberg@foodonline.com

To: mailto:LEONROSK@aol.comLEONROSK@aol.com

File: onload.zip (58365 bytes) DL Time (33600 bps): < 1 minute

Sent from the Internet

----------------------------

 

The sender, subject, name of attachment, and recipient are always random.

 

The 'sender's' email address is probably forged from an address held in the infected machine.

 

Tight Lines - leon

 

[ 03 June 2002, 08:56 AM: Message edited by: Leon Roskilly ]

[Leon Roskilly]

I woner if it's this one:

 

http://www.newscientist.com/news/news.jsp?...p?id=ns99992252

 

A recipient of the virus, seemingly coming from my address, said that his machine went kaput, as he opened it

 

Tight Lines - leon

[Leon Roskilly]

Ah!! I think it's this one:

 

http://securityresponse.symantec.com/avcen....klez.h@mm.html

 

The subject 'Look at my beautiful Girlfriend' appeared in the subject line of one seemingly sent from me!

 

That's listed in the definition.

 

Tight Lines - leon

[Newt]

Leon Roskilly:

--------------------------------------

Subj: Visibility

Date: 6/3/02 8:21:14 am GMT Daylight Time

From: pahlberg@foodonline.com

To: mailto:LEONROSK@aol.comLEONROSK@aol.com

File: onload.zip (58365 bytes) DL Time (33600 bps):

Sent from the Internet  

----------------------------

That attachment was almost certainly clean. Too small to be any sort of program file for one thing unless the programmer is a real old-timer who writes in assembler. That isn't likely since that stuff, while small, is also machine specific and would only run on a very small percentage of the machines it was sent to.

 

Onload is a Java Script function that is often included in web pages so the page designer can set his page to perform some action when the page has loaded. Legit function. The code in the web page will look something like

 

comment: Then, your function would be:

function functionName[]{

//Put your code for what to do next in here.

alert("All Done")

 

You may well be getting some Klez viri since there is lots of it floating around out there but I don't think this one was.

 

BTW - I had to put spaces in the function call to post this one and replace the para symbols with brackets like []. Elton's bbs won't allow function calls to be posted. Good safety measure IMO.

 

If you want, forward any suspicious ones on to me at home nvail@ctc.net and I'll happily look em over.

[Leon Roskilly]

Newt,

 

You almost tempted me into downloading the attachment so that I can forward it onto you.

 

I'm 99.998% certain that I could do that without causing myself a problem. That's too high a risk for me!!

 

BTW, my first machine (PDP-8) had just 4K of memory, 12 bit words and 26 words per memory page. The odd six words we reserved for off page linkages, and 2K of memory was reserved for data. Program patches were loaded into binary via the switch register, and we found that code loaded that way was so tight we couldn't duplicate in assembler without running into memory mangement problems. So it was binary patch overlaid onto binary patch.

 

No viruses in those days!! Kids today they don't...........(What was I saying?)

 

Tight Lines - leon

[Leon Roskilly]

Subj: A special humour game

Date: 6/3/02 10:41:44 pm GMT Daylight Time

Newt, here's another one!

 

The attachment is just about the same size, but this one's got text in the message!!

 

Tight Lines - leon

 

------------------------------------------

From: maschwar@davison.edu

To: leonrosk@aol.com

File: rock.zip (59280 bytes) DL Time (33600 bps): < 1 minute

Sent from the Internet [Details]

 

 

Hello,This is a special humour game

This game is my first work.

You're the first player.

I wish you would enjoy it.

--------------------------------------

 

No way am I going to download that attachment!!

 

TL- leon

[Newt]

Yup Leon. W32/Klez-G (later variant of the original W32-ELKlez-C) or Klez-H will give that as one of the possible messages. Or maybe no message at all as you got earlier. But the attachment should have a PIF, SCR, EXE or BAT ending.

 

Maybe there is a Klez-I or something out there now.

 

This particular critter is sort of interesting too since part of the payload's task is to disable any AV program you have running.

 

For any IE5 or 5.5 users out there - it can also run WITHOUT your opening the attachment if you don't have the proper security patches installed. Take a look at Security Bulletin MS01-27 which has the patch to block this particular behavior.

[Darth_codhead]

just had the same one

5 gigs oh downloads down the drain

what a b%$%$£