Alert.......

[murray arundell]

Somebody has got a virus in their system........... I'm getting some rather dubious sounding messages via the TABC List. Anyone else having the same problems? Murray Arundell

[webmaster@consultantbob.com]

Murray: I also just got an Alert from my Norton Antivirus on an incoming T-ABC Message. Had Norton delete it without opening it. Bob Johnson

[Bullwinkle]

I've received three infected emails today through this list. The first came from pierrejan@worldnet.att.net with the subject "W32.Klez.E removal tools." The second and third came from paulhuck@bellsouth.net with the subjects "Your password" and "Some questions." That's one of the problems with BBS systems like Yahoo that allow attachments. Blake

[Chip Old]

On Thu, 18 Apr 2002, Murray Arundell wrote to Mg-tabc@yahoogroups.com:

> Somebody has got a virus in their system........... I'm getting some > rather dubious sounding messages via the TABC List.

More than one "somebody". I've received 9 messages with file attachments carrying the W32.Klez.H@mm worm. 8 were received via the MG-TABC list. The other 2 were sent directly to my e-mail address, but from people I know to be MG-TABC list members. Each of those 9 infected messages came from a different sender (I've confirmed that by analyzing the extended headers). That means at least 9 people on this list received Klez-infected messages and opened the infected file attachments, thereby infecting their PCs. On those 9 PCs the Klez worm has harvested e-mail addresses from their address books and from e-mail stored on the infected PCs. Klez then sent (or may still be sending) infected messages to all of those harvested addresses. The messages look like they were sent by the owners of those infected PCs, but they didn't do it. Klez sends its infected messages without the owners of those infected PCs knowing anything about it. *** Folks, if you receive a message with a file attachment DO NOT *** open the attachment unless it is from someone you know AND you *** know ahead of time that they will be sending you a file attachment. *** To do otherwise is to invite virus infection of your PC. For more on the Klez.H worm see: http://www.symantec.com/avcenter/venc/data/w32.klez.h@mm.html http://vil.mcafee.com/dispVirus.asp?virus_k=99455 http://www.F-Secure.com/v-descs/klez_h.shtml If you have antivirus software on your PC, you should use its automatic update feature to download and install the latest version of its virus information database. Otherwise it probably won't detect and disinfect Klez.H. -- Chip Old (Francis E. Old) E-Mail: fold@bcpl.net Manager, BCPL Network Services Phone: 410-887-6180 Manager, BCPL.NET Internet Services FAX: 410-887-2091 320 York Road Towson, MD 21204 USA

[paulhuck@bellsouth.net]

I sent No attachment. PTH

----- Original Message ----- From: Bullwinkle yd3@nvc.net> To: paulhuck@bellsouth.net>; mg-tabc@yahoogroups.com>; pierrejan@worldnet.att.net> Sent: Wednesday, April 17, 2002 10:56 PM Subject: [mg-tabc] Alert....... > I've received three infected emails today through this list. > > The first came from pierrejan@worldnet.att.net with the subject > "W32.Klez.E removal tools." > > The second and third came from paulhuck@bellsouth.net with the subjects > "Your password" and "Some questions." > > That's one of the problems with BBS systems like Yahoo that allow > attachments. > > Blake > > > > Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ > >

[Chip Old]

On Fri, 19 Apr 2002, paulhuck@bellsouth.net wrote:

> I sent No attachment. > PTH

A lot of the Klez.H infected messages sent to the MG-TABC list have shown "paulhuck@bellsouth.net" on the "From:" line. That doesn't necessarily mean Paul's PC sent the messages. A new fact about the Klez.H worm that was not known when the anti-virus Web sites first posted their descriptions: The address on the "From:" line is often not the address of the owner of the infected PC that sends the message. When a PC becomes infected by Klez.H, the worm compiles a list of e-mail addresses found in the address book, saved e-mail, and a variety of other places on the infected PC's hard disk. It then sends out infected messages to all of those addresses. In those infected messages the address on the "From:" line is selected at random from that same compiled list of addresses. The "From:" address may be that of the infected PC's owner, but more likely it is not. In other words, if "paulhuck@bellsouth.net" is in someone's address book, and if that person's PC becomes infected by Klez.H, then two things will occur: (1)"paulhuck@bellsouth.net" will receive an infected e-mail from that infected PC. It's possible that some of the infected messages sent by that PC will show "paulhuck@bellsouth.net" on the "From:" line even though it wasn't Paul's PC that sent the message. Now, Paul this doesn't mean that *none* of those messages came from your PC. Some of them (not all) were sent via the bellsouth.net mail server, which could mean they came from your PC. It would be a good ideas to update your anti-virus software and scan your PC. -- Chip Old 1948 M.G. TC TC6710 XPAG7430 NEMGTR #2271 Cub Hill, Maryland 1962 Triumph TR4 CT3154LO CT3479E fold@bcpl.net