I hope I don't cause grief pushing this thread back up to the top! I just wanted to post the following information that came from my employer, in case it provides any additional insight that is of help. Way down close to end there are several websites for information; may be the same ones mentioned upthread. If you copy URLs to your browser don't forget to remove > from start of each bodycopy line.

Because of the antisocial nature of this threat, and the public nature of access to these forums, I felt it necessary to remove all references to my employer using [XXX] which also invalidates some proprietary websites referenced, but the public ones I left in are good addresses.

Good luck guys! I feel your pain, but my Mac is immune to this one...not gloating, really. It's all I can afford, old and slow from university surplussing. But I did win a "parts" CPU from them for $5.89 and took out of it 64M of RAM and a 2G hard drive to add to old-and-slow, *now* I'm gloating. I remember when a 40 *meg* drive was more than enough, can't wait to re-read this in 3 years...

hasta, michael 8>)#

>X-From_: owner-alldepts@ [XXX] Tue Feb 5 12:11 CST 2002 >X-Priority: 3 (Normal) >Importance: Normal >X-Virus-Scanned: by AMaViS snapshot-20010714 >Date: Tue, 5 Feb 2002 11:23:18 -0600 >Reply-To: [XXX] >Sender: ALLDEPTS -- [ XXX ] University Departments > From: [ XXX ] >Organization: [ XXX ] University Information Technology >Subject: Virus Alert: "Klez" Virus and E-mail Warnings >Comments: To: ALLDEPTS@ [ XXX ] >To: ALLDEPTS@ [ XXX ] > >Hi all, > >An e-mail virus is going around by the name of "Klez" which also drops >a new virus variant called "Elkern" on infected systems. Please read >on, because this message addresses the "VIRUS IN YOUR MAIL" warnings >that many [ XXX ] folks have received recently. > >Information on these viruses is very preliminary at this stage, but I >need to distribute this advance warning because of some particularly >antisocial aspects of this virus combo. Please forgive any errors in >the facts that result from this early assessment. > >The "KLEZ" and "ELKERN" Worms >----------------------------- > >Virus names: KLEZ > W32/Klez.gen@MM > Klaz > TROJ_KLEZ.C > Klez.E > Klez.G > Stemdil > > ELKERN > W95/Elkern.cav > W32.ElKern.3326 > >Systems Affected: PCs with any version of Windows. Macs and UNIX >systems are not affected. > >Methods of Propagation: > >Klez (variants "E" and "G") is an e-mail virus that uses a very >sophisticated algorithm to generate fake e-mail messages with >similarly fake return addresses. If you receive a message from Klez, >most likely the address is in the From: field is not the person who >sent it. Klez generates fake holiday greetings for most major >holidays, it grabs subject lines from existing e-mail, and it can >compose sentences from a large combination set of sentence fragments, >including sentences that sound like different virus warnings. Klez >infects individual executable files, and scans your network disks and >any open Windows file shares it can find and drops a copy of itself >with a double-extension to trick the user into opening it >("blahblah.txt.EXE"). > >Elkern is a new virus variant ("B") that is installed by Klez. Elkern >is a more typical file-infection virus with the antisocial tendency to >overwrite files with zeros, leaving the file size intact. This can >rapidly render the operating system unusable or destroy applications >and data. Like Klez, it scans network drives and open file shares and >attempts to install itself on poorly secured systems. Due to bugs in >its programming, Elkern will instantly crash any Windows 95 or NT >system, and possibly Windows ME or XP systems. It will run correctly >(if it can be called "correctly") on Windows 98 and 2000 systems. > >Risk to [ XXX] Campus: Moderately High. The bad news is that Klez and >Elkern exploit almost every trick in the book to try and propagate >themselves, and the fake e-mail that Klez generates looks very >realistic. The good news: our latest version of VirusScan with the >most recent virus signatures will detect and stop this virus. > > >BAD VIRUS WARNINGS >------------------ > >You may receive a message from "postmaster" with the warning: > >Subject: VIRUS IN YOUR MAIL > > V I R U S A L E R T > Our viruschecker found the > W32/Klez.gen@MM > virus(es) in your email to the following recipient(s). > >In all likelihood, this warning is in error. Because Klez creates fake >(but intelligently chosen) "From" addresses on its messages, chances >are that the e-mail virus scanner sent the warning to the wrong person >-- that is, YOU. In fact, there is no way to figure out who really >sent the virus-infected e-mail purely by examining the infected >e-mail. > >WHAT YOU SHOULD DO >------------------ > >If you receive the virus warning and you use a Mac or UNIX system for >your e-mail, just ignore the warning and throw it away. It does not >apply to you. > >If you receive the warning and you use a PC with Windows, the warning >is most likely invalid, but infection remains a possibility. Make sure >you have a current anti-virus scanner installed on your PC. If you're >using [ XXX ] 's McAfee VirusScan product, make sure you are currently >updated with the latest virus signatures: > >http://www. [ XXX ] > >The current (version 4184) signatures can detect and remove the latest >variants of both Klez and Elkern. If you don't have McAfee VirusScan >installed, now is the time to install it. Use the links at > >http:// [ XXX ] > >to obtain and install it, then update with the latest signatures. > >If you use a centrally-managed PC with Windows NT, 2000 or XP, your >system administrator may apply updates for you automatically. Contact >your local support team if you have any questions about that >procedure. > >And as always, never open an attachment whose validity has not been >confirmed with the original sender in plain, specific language. Never >open an attachment with a .EXE extension. > >If you think you are infected, contact IT staff immediately for >assistance at http:// [ XXX ] > >MORE INFO >--------- > >Virus Info and Software Updates: > >http:// [ XXX ] > >Klez Links: > >McAfee/NAI: http://vil.nai.com/vil/content/v_99237.htm >Datafellows: http://www.datafellows.com/v-descs/klez.shtml > >Elkern Links: > >McAfee/NAI: http://vil.nai.com/vil/content/v_99238.htm >Datafellows: http://www.F-Secure.com/v-descs/elkern.shtml >Symantec: >http://securityresponse.symantec.com/avcenter/venc/data/w32.elkern.3587. >html > >-- > >As in the past, please do not distribute this message outside the [ XXX ] >community. Also, please do not distribute this message after March 15, >2002. If there is relevant, new information available, it will be >posted in an updated message to ALLDEPTS.

[Yeah, well I feel OK about sending it because I copied to word-processor, removed all references and addresses to the university itself, send through non-university email and don't see any way this could disadvantage them after those precautions.....and to anyone who might be able to backdoor through a residual IP address: the countermeasures do need occasional testing, so - go ahead, make their day!] [[ one of my favorite aphorisms: "Just because you're paranoid doesn't mean they're not out to get you !! " ]]

>This message is preserved, fresh-frozen for eternity at > >https://www.[ XXX] >-- >[ XXX sigblock] --