Skip Navigational Links
LISTSERV email list manager
LISTSERV - LISTSERV.ICORS.ORG
LISTSERV Menu
Log In
Log In
LISTSERV 17.5 Help - VICUG-L Archives
LISTSERV Archives
LISTSERV Archives
Search Archives
Search Archives
Register
Register
Log In
Log In

VICUG-L Archives

Visually Impaired Computer Users' Group List

VICUG-L@LISTSERV.ICORS.ORG
Menu
LISTSERV Archives LISTSERV Archives
VICUG-L Home VICUG-L Home
Log In Log In
Register Register
Subscribe or Unsubscribe Subscribe or Unsubscribe
Search Archives Search Archives
Options: Use Forum View

Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Innformation on the KLEZ Virus
From:
Kelly Pierce <[log in to unmask]>
Reply To:
Kelly Pierce <[log in to unmask]>
Date:
Wed, 8 May 2002 07:11:12 -0500
Content-Type:
text/plain
Parts/Attachments:
text/plain (170 lines) 
Klez: Don't Believe 'From' Line

By Michelle Delio

April 30, 2002 PDT

www.wired.com

Some Internet users have recently received an e-mail
message from a dead friend. Others have been subscribed
to obscure mailing lists. Some have lost their Internet
access after being accused of spamming, and still
others have received e-mailed pornography from a
priest. They're actually experiencing some of the
stranger side effects of the Klez computer virus.

These ersatz e-mails containing the virus are creating
Klez-provoked arguments and accusations that are now
spreading as fast as the worm itself.

The latest variant of the Klez virus started spreading
10 days ago. The virus e-mails itself from infected
machines using a bogus "From" address randomly plucked
from all e-mail addresses stored on an infected
computer's hard drive or network.

Recipients of the virus-laden e-mails, not
understanding that the "From" information is virtually
always phony -- or even that they have received a virus
-- have been clogging networks with angry and confused
e-mails that are causing a great deal of cyber-havoc.

People signing up for newsletters and mailing lists
that they never subscribed to has been a major source
of frustration for both users and the list owners.

If Klez happens to send an e-mail "from" a user to an
e-mail list's automatic subscribe address, the list
software assumes the e-mail is a valid subscription
request and begins sending mail to the user.

A mailing list for fans of the Grammy Award-winning
Steely Dan band has posted an explanation directed to
those who were subscribed to the list by the virus.

"We are not infected with the Klez virus. We don't know
if you are infected with the Klez virus. You may be.
But even if you are not, someone out there who is
infected has both your address and our address on their
computer ... and therein lies the problem," the
explanation reads, in part.

Even when users understand the source of newsletter-
generated e-mails, the amount of mail some lists
generate is causing problems.

"Last week I suddenly started getting hundreds of e-
mails, daily, with information about raising tropical
fish, purchasing cosmetics and staying in youth
hostels," Victor Montez, a sales rep for a publishing
firm, said. "I do not keep fish, wear makeup or travel
rough."

Montez now understands the e-mails came from Klez-
subscribed news lists. But he said that since his free
e-mail account only stores a certain amount of
messages, he's lost access to the account twice this
week. He believes he's also lost a significant amount
of business-related e-mails.

"If this keeps up, I may end up having to stay in
hostels and I'll have plenty of free time to devote to
raising fish," he said.

In some cases, it almost seems as if Klez is
specifically targeting particularly vulnerable e-mail
addresses onto which it can piggyback.

E-mails containing an invitation to view what purports
to be an attachment with pornographic images appears at
first glance to have been sent out by Catholic parishes
in New York and Maryland. The attachment actually
contains the Klez virus, and tracing information
indicates the e-mails were actually sent from an
Internet service located in the United Arab Emirates.

"While we would obviously never choose to have our
churches' names affiliated with such material, this is
a particularly difficult time to have e-mail with
obscene references -- which appear to have been sent by
church staff -- circulating," an archdiocese
spokeswoman said, referring to the worldwide sex abuse
scandal.

Other newsletter owners are also suffering. Some say
their Internet service providers have accused them of
spamming non-members. Many ISPs cut service when they
receive a certain amount of spam complaints.

"I was reported to my ISP over a dozen times this week
for spamming," said Keith Carlone, the manager of an e-
mail newsletter for classic car enthusiasts. "My ISP
threatened to pull my account after the third complaint
and we went down shortly afterwards. It took four days
to sort the problem out."

Andrew Fiber, maintainer of a Jewish folk music mailing
list, said that the list has been inundated with
messages about widely off-topic subjects, so much so
that Fiber wondered if most of his members had suddenly
gone "meshuga (a little crazy)."

But then Fiber began getting the complaints.

"All of a sudden we had e-mails coming in from around
the world, with people yelling we had sent them Klez,"
Fiber said. "The thing is that 'Klezmer' is a type of
traditional folk music which we often discuss on the
list and sometimes refer to as Klez. So I thought
people were protesting about our folk music. It was
very confusing for a while."

Some users have even reported receiving spooky e-mails
from deceased friends.

"I belonged to a tattoo artists' list that closed down
a few years ago. Last week, I began getting e-mails
from the list. Even weirder, I got eight e-mails with
subject lines that read 'SOS' and 'Eager to See You'
from a list member who died last year. It totally
creeped me out," said "Bear" Montego.

Klez e-mails' subject lines are randomly chosen from a
pre-programmed list of about 120 possibilities,
including "Let's be friends," "Japanese lass' sexy
pictures," "Meeting Notice," "Hi Honey" and "SOS."

Klez also sends fake "returned" or "undeliverable" e-
mails, advising the supposed sender that their
original, refused e-mail is contained in the
attachment. Clicking on the attachment triggers the
virus.

The virus can launch automatically when users click to
preview or read e-mails bearing Klez on systems that
have not been patched for a year-old vulnerability in
Internet Explorer, Outlook and Outlook Express. Klez
only affects PCs running Microsoft's Windows operating
system.

As of Monday afternoon, Klez's spread seems to have
slowed, but antiviral experts warn that the worm will
be around for a while.

"Anytime you have a virus that is not easily
identifiable visually, it tends to linger," Rod
Fewster, Australian representative for antiviral
application NOD32, said. "SirCam and Klez both vary the
subject lines of the e-mails they send, which makes it
hard for the average user to spot."


VICUG-L is the Visually Impaired Computer User Group List.
To join or leave the list, send a message to
[log in to unmask]  In the body of the message, simply type
"subscribe vicug-l" or "unsubscribe vicug-l" without the quotations.
 VICUG-L is archived on the World Wide Web at
http://maelstrom.stjohns.edu/archives/vicug-l.html

ATOM RSS1 RSS2

LISTSERV.ICORS.ORG CataList Email List Search Powered by LISTSERV