Virus with Strange Headings?

[kwcp]

Chip & all: I have recived at least 13 e-mails in the past two days that I believe had the klez virus attached. The attachment was stripped from the e-mails either by my ISP or my anti-virus program. I have been using EZ-Trust anti -virus from CA. The first thing I do every morning is download a new signature file and run the virus program. I also sometime run the program the last thing at night. It only takes a few minutes by could save hours of repair time. I have never had a virus since taking these simple precautions. Ken TC 4147 Chip Old wrote:

> On Thu, 18 Apr 2002, Sam Suklis wrote to HaraRyoichi and wargs: > > > Hello Hara: ANY of your incoming "list" letters that have a paper-clip > > next to the name,showing that an attachment is in the letter will be the > > infected ones. > > True only if he uses Microsoft Outlook or Outlook Express. Other mail > programs use other ways of indicating the presence of file attachments. > > > I'm having trouble understanding why some Norton AV's aren't responding > > to it, as mine goes crazy. I'm guesssing some of the Norton's out there > > aren't of the type configured to scan e-mail OUTSIDE the portal, before > > it enters the computer. > > Possibly, although most recent anti-virus programs scan incoming e-mail by > default. In order for that not to happen, you'd have to intentionally > turn e-mail scanning off. More likely is that they have failed to keep > their anti-virus software up to date. That's the most common > virus-related problem I have with my customers (I'm an ISP in real life). > > When you buy anti-virus software it includes a "virus description > database" that includes all viruses known at the time the master copy of > the installation CD was produced. Any new viruses that appear after that > are not known to the anti-virus program, so will not be detected. You > *must* use your anti-virus software's "update" feature on a regular basis > to download and install the latest version of the virus description > database. If you don't, your anti-virus software is virtually useless > because it can't detect new viruses. The Klez.H worm that is currently > causing so much trouble is very new (first detected only a couple of days > ago), so chances are the anti-virus software on most MG-TABC members' PCs > wasn't up to date enough to catch it. > > If I used a PC, because of the rapid-fire release of new viruses I'd run > my anti-virus software's database at least once a week. On a Mac it isn't > as critical because new Mac viruses appear very infrequently. > > > This Virus mails itself over and over, and changes it's name each time. > > The virus name is always Klez.H or some variation on that. What changes > is the "Subject:" line of the message, the text (if any) of the message, > and the name of the file attachment. Klez.H takes each of these from a > built-in list which is so long as to make the Subject, text, and > attachment name seem random. > > -- > Chip Old (Francis E. Old) E-Mail: fold@bcpl.net > Manager, BCPL Network Services Phone: 410-887-6180 > Manager, BCPL.NET Internet Services FAX: 410-887-2091 > Baltimore County Public Library > 320 York Road > Towson, MD 21204 USA > > > > Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/

[Sam Suklis]

Ken: Three of them waiting for me in here when I booted up this morning. It's still a pain, even though Norton catches them, there's the whole business of going through the steps of stripping each one. I like the Norton Pro AV, it auto-updates virus definitions daily, updating automatically as soon as computer boots. You are correct, that a daily update, whether automatic or manual is like life insurance. Up until now, never, ever opening ANY attachment EVER, has been the only guaranteed protection. It still is, whether you have an anti-virus program or not. There's always that "brand new" virus out there, that the Anti-Virus people haven't identified yet, and your virus program can't protect you from that. The list of people I correspond with personally long ago all agreed that IF we had to send an attachment (like a program or something that couldn't be put right in the body of the e-mail (like photos can) we always send a note ahead. to the recipient telling them it's coming, and what the caption will be. That eliminates the danger of any of us assuming, when an attachment arrives with a letter from a friend, that it "must be ok". And fatally assuming the friend knew the attachment was there, in their letter. You only need to get careless one time to get bitten. This new one is scary, showing up in the preview window, but at least, it too, has to be opened consciously to do damage. (I see on the Symantec site that it was Identified in March, but it keeps evolving) I't's still a hassle, first going through Norton's steps to delete it, then going into the "Deleted" file, and deleting it again. I'd think, given today's technology, Yahoo could simply block all attachments going to the list. Can't they do that? If a list-member wanted send something to someone on the list with an attachment, they could do that personally, to the individual they want, via regular e-mail. Lists like this one are usually text-only anyway, and that's as it should be Sam Suklis. SS

----- Original Message ----- From: "kwcp" kwcp@optonline.net> To: "Chip Old" fold@bcpl.net> Cc: "MG-TABC" mg-tabc@yahoogroups.com> Sent: Friday, April 19, 2002 7:18 AM Subject: Re: [mg-tabc] Virus with Strange Headings? > Chip & all: > I have recived at least 13 e-mails in the past two days that I believe had the > klez virus attached. The attachment was stripped from the e-mails either by my > ISP or my anti-virus program. I have been using EZ-Trust anti -virus from CA. > The first thing I do every morning is download a new signature file and run > the virus program. I also sometime run the program the last thing at night. It > only takes a few minutes by could save hours of repair time. I have never had > a virus since taking these simple precautions. > Ken TC 4147 > > Chip Old wrote: > > > On Thu, 18 Apr 2002, Sam Suklis wrote to HaraRyoichi and wargs: > > > > > Hello Hara: ANY of your incoming "list" letters that have a paper-clip > > > next to the name,showing that an attachment is in the letter will be the > > > infected ones. > > > > True only if he uses Microsoft Outlook or Outlook Express. Other mail > > programs use other ways of indicating the presence of file attachments. > > > > > I'm having trouble understanding why some Norton AV's aren't responding > > > to it, as mine goes crazy. I'm guesssing some of the Norton's out there > > > aren't of the type configured to scan e-mail OUTSIDE the portal, before > > > it enters the computer. > > > > Possibly, although most recent anti-virus programs scan incoming e-mail by > > default. In order for that not to happen, you'd have to intentionally > > turn e-mail scanning off. More likely is that they have failed to keep > > their anti-virus software up to date. That's the most common > > virus-related problem I have with my customers (I'm an ISP in real life). > > > > When you buy anti-virus software it includes a "virus description > > database" that includes all viruses known at the time the master copy of > > the installation CD was produced. Any new viruses that appear after that > > are not known to the anti-virus program, so will not be detected. You > > *must* use your anti-virus software's "update" feature on a regular basis > > to download and install the latest version of the virus description > > database. If you don't, your anti-virus software is virtually useless > > because it can't detect new viruses. The Klez.H worm that is currently > > causing so much trouble is very new (first detected only a couple of days > > ago), so chances are the anti-virus software on most MG-TABC members' PCs > > wasn't up to date enough to catch it. > > > > If I used a PC, because of the rapid-fire release of new viruses I'd run > > my anti-virus software's database at least once a week. On a Mac it isn't > > as critical because new Mac viruses appear very infrequently. > > > > > This Virus mails itself over and over, and changes it's name each time. > > > > The virus name is always Klez.H or some variation on that. What changes > > is the "Subject:" line of the message, the text (if any) of the message, > > and the name of the file attachment. Klez.H takes each of these from a > > built-in list which is so long as to make the Subject, text, and > > attachment name seem random. > > > > -- > > Chip Old (Francis E. Old) E-Mail: fold@bcpl.net > > Manager, BCPL Network Services Phone: 410-887-6180 > > Manager, BCPL.NET Internet Services FAX: 410-887-2091 > > Baltimore County Public Library > > 320 York Road > > Towson, MD 21204 USA > > > > > > > > Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ > > > > > Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ > > >

[Gene Gillam]

Jack said:

> Its useage has made me very suspicious and speculative . Could an outsider

( or ex-member even ) be fiddling with old email addresses such as " tc48td50 " , or creating false ones etc. , because this person has some "lip-on " for our web ?http://www.grisoft.com). Version: 6.0.350 / Virus Database: 196 - Release Date: 4/17/2002

[HaraRyoichi]

Chip, To be on the safe side, since that nightmarish experience last December, my pc has been set to manual mode to open mails and attachments, i.e. , in order to read the contents of a mail as well as an attachment (yes it has a clip mark, Sam) on the "incoming message tray" window I must each time click to pick then another click to delete or two other clickings to open. Thus, I would think twice before I open any mail from anybody with strange heading or ANY heading WITH attachment. Besides, I would read the list of incoming mails from the bottom first for any related messages. I was moving very cautiously when the first attack of virus came from o*z*a*i*a*c*four days ago, followed immediately by an alert by Murray I believe (Thank you, Murray). I am very sure there had been no such suspicious mail received by me recently. My Norton AV had been updated April 5 then and, currently the window says OK to Virus Definition Update, Auto Protect and, Previous Virus Scan. I could not find out why it did not alert me. Today, I had the 14th virus suspect : "Male Buster: [mg tabc]A special powful (sic) tool", and you tell us anybody could be picked up as a sender of such mails. It is very disturbing. Not me again! One silly question: Would a mail WITHOUT attachment be 100% virus-free? Cheers, Rick Hara TC6903 PS I am leaving the rather lengthly original messages as had been sent me because I thought it may benefit us all to understand what Sam and Chip are so kindly trying to tell us--- the correct, basic and helpful information. Thank you two and all who've been helping us.

----- Original Message ----- > On Thu, 18 Apr 2002, Sam Suklis wrote to HaraRyoichi and wargs: > > > Hello Hara: ANY of your incoming "list" letters that have a paper-clip > > next to the name,showing that an attachment is in the letter will be the > > infected ones. > > True only if he uses Microsoft Outlook or Outlook Express. Other mail > programs use other ways of indicating the presence of file attachments. > > > I'm having trouble understanding why some Norton AV's aren't responding > > to it, as mine goes crazy. I'm guesssing some of the Norton's out there > > aren't of the type configured to scan e-mail OUTSIDE the portal, before > > it enters the computer. > > Possibly, although most recent anti-virus programs scan incoming e-mail by > default. In order for that not to happen, you'd have to intentionally > turn e-mail scanning off. More likely is that they have failed to keep > their anti-virus software up to date. That's the most common > virus-related problem I have with my customers (I'm an ISP in real life). > > When you buy anti-virus software it includes a "virus description > database" that includes all viruses known at the time the master copy of > the installation CD was produced. Any new viruses that appear after that > are not known to the anti-virus program, so will not be detected. You > *must* use your anti-virus software's "update" feature on a regular basis > to download and install the latest version of the virus description > database. If you don't, your anti-virus software is virtually useless > because it can't detect new viruses. The Klez.H worm that is currently > causing so much trouble is very new (first detected only a couple of days > ago), so chances are the anti-virus software on most MG-TABC members' PCs > wasn't up to date enough to catch it. > > If I used a PC, because of the rapid-fire release of new viruses I'd run > my anti-virus software's database at least once a week. On a Mac it isn't > as critical because new Mac viruses appear very infrequently. > > > This Virus mails itself over and over, and changes it's name each time. > > The virus name is always Klez.H or some variation on that. What changes > is the "Subject:" line of the message, the text (if any) of the message, > and the name of the file attachment. Klez.H takes each of these from a > built-in list which is so long as to make the Subject, text, and > attachment name seem random. > > -- > Chip Old (Francis E. Old) E-Mail: fold@bcpl.net > Manager, BCPL Network Services Phone: 410-887-6180 > Manager, BCPL.NET Internet Services FAX: 410-887-2091 > Baltimore County Public Library > 320 York Road > Towson, MD 21204 USA > > > > > Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ > > > >

[Sam Suklis]

Hello "old" Chip and Hara: (Chip-I'm guessing your using the "old" is a reference to Chip Hellie having been on the list first? He is, in fact a young guy, at least in relation to my age...Have known him and his dad for over three decades) Hara wrote: (yes it has a clip mark, Sam) Sam wrote: That brings up an important point. You know, if all the members agree NOT to ever include attachments in their postings, it would serve as an "instant" warning to everyone of the appearance of a tained e-mail. They'd KNOW it didn't belong, and delete it immediately. There's no real need I can think of for attachments in a list of this type, as members can always send an attachment separately directly to the peresonal e-mail address of whoever they need it to go to Hara wrote: Previous Virus Scan. I could not find out why it did not alert me. Sam wrote: re-check and be sure it's activated..e-mail activates separately in the newer Norton, it's not a default item. Hara wrote: One silly question: Would a mail WITHOUT attachment be 100% virus-free? Sam wrote: I think Chip would agree, it's about as close as possible, at this time, to being the ONLY safe thing. I've said before I don't open ANY attachments. Knowing the person sending it is a trusted source is no protection. He has no way of knowing there's an attachment there. That's how viruses work. Person sending it has to tell you before he's going to send it that it's an attachment he's including, what it is, and what the source was. Ponderous, but necessary. It's best to put such items in the body of the letter, where they can be looked at in the preview window, instead of using attachments at all. Chip wrote:

> > > > I'm having trouble understanding why some Norton AV's aren't

responding

> > > to it, as mine goes crazy. I'm guesssing some of the Norton's out

there

> > > aren't of the type configured to scan e-mail OUTSIDE the portal,

before

> > > it enters the computer.

Sam wrote: There are times when Windows can screw up in it's configuration, and disable a vital path to one program or another. One of my earlier versions of Norton became disabled on several occasions by such events (as did other programs). The latest pro version is pretty reliable, BUT, you have to TELL it you want it to monitor incoming e-mail when you install it. The Norton window that opens when you activate Norton shows you at the top of the list there whether e-mail protection is "on" or "off" You can turn it "off" and the rest of Norton keeps working. I keep having problems with AT&T Broadband, because they refuse support if you've got Norton turned on, and tell you you have to turn it off, claiming that whatever e-mail problem you have is Norton's fault. (which is pure bushwa). It's just their way of ducking responsibility.

> >

Chip wrote:

> > Possibly, although most recent anti-virus programs scan incoming e-mail

by

> > default. In order for that not to happen, you'd have to intentionally > > turn e-mail scanning off. More likely is that they have failed to keep > > their anti-virus software up to date. That's the most common > > virus-related problem I have with my customers (I'm an ISP in real

life). Sam wrote: I agree. Particularly if you have an older version of anti-virus protection. But less than daily is dangerous. That's how I found out. I got hit by a "new" virus between updates last year, before I installed the automatic update version. when we installed this latest Norton, I assumed (bad word) the e-mail scanning was a part of the installation. Found out later I had to tell it to do that after it installed. I have the type that scans at the portal, before the e-mail can enter the computer...and yes, it does slow down your Outlook Express, but it's worth the minor inconvenience. My programmer-kid caught that, and gave me a lecture. He points out that Windows is the weak link...says like a condom, it breaks sometimes.

> >

Chip wrote:

> > If I used a PC, because of the rapid-fire release of new viruses I'd run > > my anti-virus software's database at least once a week. On a Mac it

isn't

> > as critical because new Mac viruses appear very infrequently.

Sam wrote; I so often envy you Mac-owners. Nowdays, Norton's later versions check daily automatically, but even that glitches occasionally, and they fail to...I check daily to see what the last date it updated was, and if it's been several days, I manually run an update just to be sure. Sometimes, of course, it's because no new virus definitions have been sent, but it pays to be sure. I keep fighting this urge to just go buy a mac, and use it as a separate computer for e-mail only. Best to all, Sam Suklis

> >

[Chip Old]

On Sat, 20 Apr 2002, Sam Suklis wrote to Chip Old and HaraRyoichi:

> Hello "old" Chip and Hara: > > (Chip-I'm guessing your using the "old" is a reference to Chip Hellie > having been on the list first? He is, in fact a young guy, at least in > relation to my age...Have known him and his dad for over three decades)

Sorry, nothing that devious. My name is Chip Old. Actually it's Francis E. Old III, but I've been known as "Chip" since birth, which occurred two years before the birth of the TC.

> I keep having problems with AT&T Broadband, because they refuse support > if you've got Norton turned on, and tell you you have to turn it off, > claiming that whatever e-mail problem you have is Norton's fault. > (which is pure bushwa). It's just their way of ducking responsibility.

It's not entirely bushwa. The Windows version of Norton Antivirus works as a sort of proxy server for your incoming e-mail. Without it, your mail program connects to your ISP's mail server and downloads your new mail to your hard disk. When NAV is set to scan your incoming mail, it modifies the server address in your mail program such that your mail program connects to the "loopback address" on your own PC to get your e-mail from NAV, which is what actually downloads it from the mail server. It's a good idea, but occasionally it goes wrong and your mail program is unable to collect your new mail. We see this mainly with Outlook Express. For a long time Symantec and Microsoft blamed each other for the problem and both refused to do anything about it. Eventually both provided patches to fix the problem, but it still happens occasionally. What *is* bushwa is the AT&T help desk's way of dealing with the problem by telling you to turn off NAV. My help desk staff are all expert at making the NAV/mail program relationship work correctly. -- Chip Old 1948 M.G. TC TC6710 XPAG7430 NEMGTR #2271 Cub Hill, Maryland 1962 Triumph TR4 CT3154LO CT3479E fold@bcpl.net

[Sam Suklis]

Chip wrote:

> > Sorry, nothing that devious. My name is Chip Old. Actually it's Francis > E. Old III, but I've been known as "Chip" since birth, which occurred two > years before the birth of the TC.

Sam writes: Omigsh! Your car is older than you? I can't tell you how good that makes me feel! I've spent last few years telling people "my car is almost as old as I am" and instantly feeling ancient. My heartfelt "thanks" to you, sir, you have made my whole weekend!. > Chip wrote:

> > What *is* bushwa is the AT&T help desk's way of dealing with the problem > by telling you to turn off NAV. My help desk staff are all expert at > making the NAV/mail program relationship work correctly.

Sam writes: BINGO! On each and every occasion this has happened, we've ended up finding out the problem each time was that the Corvallis AT&t server was. down. All that time spent with techs trying to prove it was my computer. Urggh. as soon as they tell me my Norton is the problem, a few calls disclose that everyone I know who's in my area with AT&Tis also down. Now, if it's not working, I just come back later, and it's back on. No more calls to AT&T. Outside of that, charging along with fiberoptic is sure nice. best, Sam

[Sam Suklis]

A final word on attachments: After going on a bit about not allowing attachments as a safety-net, I remembered a letter Jim Shade sent me recently when I was signing up for the list, and it looks like that issue had already been addressed, and the policy in place. Here's the actual excerpt: PHOTOS AND BIO'S Please don't send attachments to the List address as several members have complained that their service-providers download attachments automatically, using costly on-line time. You can post Photos on our Yahoo site. Just go to our Yahoo site, http://groups.yahoo.com/group/mg-tabc, click on "photos" then click on "add photo". Then send a message to the List, alerting them to the fact that you have posted a photo. Best to all, Sam Suklis

[rmeismer1@aol.com]

What a bunch of kids I was in the 6th grade when mine was built. Dam I am getting old. From M.G.( Meismer's Garage) Rolland Meismer Burlington,Iowa U.S.A. 1946 TC #3409--1951 TD #5522

[Chip Old]

On Sat, 20 Apr 2002, Sam Suklis wrote to MG-TABC and Chip Old:

> Omigsh! Your car is older than you? I can't tell you how good that > makes me feel! I've spent last few years telling people "my car is > almost as old as I am" and instantly feeling ancient. My heartfelt > "thanks" to you, sir, you have made my whole weekend!.

Sam, re-read what I wrote, then do the math. I said "...I've been known as "Chip" since birth, which occurred two years before the birth of the TC." The TC as a model was born in 1945. I was born two years before that (1943, for the mathematically challanged). Actually my own TC is a 1948, so I'm five years older than it is. Sorry to destroy your weekend. -- Chip Old 1948 M.G. TC TC6710 XPAG7430 NEMGTR #2271 Cub Hill, Maryland 1962 Triumph TR4 CT3154LO CT3479E fold@bcpl.net