OT: Virus -- I didn't do it!

[Mark Rainey]

There's a particularly nasty worm/virus going around at the moment, and some people on the board may have received an email containing it with my return address. However, it's not from my computer.

When this worm infects a computer, it not only sends itself to everyone in the infected user's address book, it inserts a random address from that address book in the FROM field. You have to look at the extended headers to determine where the mail actually originated.

I know at least one or two members of this board got infected and had my email address in their address books; so even though I didn't send the mail, it looks like it came from me.

Here's a little info about it:

McAfee identified this worm as W32/Klez.h@MM. The subject line varies; can be "Hi, honey," "KLEZ virus removal instructions," "Meeting reminder," "Microsoft security update," and many other randomly generated subject lines.

This one will automatically execute itself using the Microsoft IE vulnerability in Outlook Express versions 5.01 - 5.5 unless you have installed Security Patch 2. That means if you have an older version of OE, you don't even have to download the attachment; it will open itself and infect your system.

More info on the virus can be found at http://vil.nai.com/vil/content/v_99455.htm


Anyway, to anyone who might think I sent them a virus, I did not.

Hopefully forewarned is forearmed.

[shadow=green,left,300]--Mark[/shadow]

[Mysterious Benefactor]

Don't worry, Mark, because you're not the only member of this forum who seems to have become infected. I've already recieved three copies of the virus from another forum member. The odd thing is that, unlike the e-mails it sent from your PC, the three copies I've received all pretended to come from someone else. The first pretended to have come from Midnite, the second from Luciaphil, and the third from someone I don't even know - but each could be traced to the other forum member when I checked their headers.
This virus is VERY sneaky when it comes to how it spreads itself! So, the best thing to do is delete any suspicious e-mails that arrive - particularly ones with attachments - even if the attachment looks like it's only a JPEG or text file. The e-mail I'd supposedly received from Luciaphil looked like it had a JPEG attachment, and the third copy masqueraded as a text attachment - but all three were actually executable files.

[Luciaphile]

This virus is VERY sneaky when it comes to how it spreads itself! So, the best thing to do is delete any suspicious e-mails that arrive - particularly ones with attachments - even if the attachment looks like it's only a JPEG or text file. The e-mail I'd supposedly received from Luciaphil looked like it had a JPEG attachment, and the third copy masqueraded as a text attachment - but all three were actually executable files.

Does this mean it's on my computer?

Luciaphil

[Mark Rainey]

Don't worry, Mark, because you're not the only member of this forum who seems to have become infected. I've already recieved three copies of the virus from another forum member. The odd thing is that, unlike the e-mails it sent from your PC, the three copies I've received all pretended to come from someone else.

MB -- I didn't get infected; that was the point I was making. The virus inserts random addresses that it finds in an infected user's address book into the FROM field. My email address, Midnite's, Luciaphil's, etc. were in the address book of an infected member of the board, which is why it appears to be coming from us, but in reality it's not.

Please re-read my original post -- it explains the reason for the deceptive behavior of the worm, and that I definitely did NOT get infected or allow it to be sent out from my machine.

--Mark

[Minja]

Hey Luciaphil,

If your mailbox is frequently getting mail with attachments that keep pooping up a greenish window that is wanting to be downloaded, then you have it.

I'm trying one more removal tool, and then it's to the fixit shop if there's no success.

I tried Symatec(sp?) and no luck.

Always, Minja

[Mysterious Benefactor]

MB -- I didn't get infected; that was the point I was making.

Sorry about my misinterpretation, Mark. I'll confess that I didn't read your entire post. I'd been talking to Midnite on the phone last night about receiving the first two copies of the virus and who I'd traced them to, and I thought she'd mentioned that someone on the forum had received a copy of the virus that came from you. But now that I think about it, what she'd actually said to me was that the virus had pretended to come from you but was probably from the same person whose computer sent it to me. That person wasn't really sure if they'd been infected or not until they later learned from Midnite that I'd been able to trace the e-mails back to them.

This'll teach me not to make posts at almost 2am when I should be in bed. But a Webmaster's work is never done - not even at 2am.

[Mysterious Benefactor]

Does this mean it's on my computer?

Probably not. The e-mail I supposedly received from you came from someone else. Unless you've also received an e-mail that appeared to come from someone you know and you opened the attached file without realizing it wasn't from that person, or you're using Outlook Express and it might have executed the file on its own, you're probably safe - particularly if you have a virus protection program on your computer that's running in the background because it would have probably identified the virus before it could have done any damage. If you do have virus protection, you have the latest virus updates, and you haven't received any warning like that, then you can pretty much be certain that you're safe.

[Raineypark]

MB, am I safe in assuming that those of us who have hidden e-mail addresses and have never shared them with others on this board, cannot get the virus from someone on this board (though certainly from somewhere else.)?

If I have to call IT Hubby and ask this question there'll be hell to pay!

Rainey

[Mysterious Benefactor]

those of us who have hidden e-mail addresses and have never shared them with others on this board, cannot get the virus from someone on this board (though certainly from somewhere else.)?

That's right. The virus uses e-mail addresses stored on an infected computer to send itself out to other people. If no one on this forum knows your e-mail address, then you can't receive it from anyone here.

[kuanyin]

I might be wrong, it sure wouldn't be unusual, but it looked to me like Microsoft didn't have a more current download of Outlook Express than the 5.5 version I have.

Is there any security feature with 5.5? How would I implement it? Or is there a newer version?

[Mark Rainey]

I might be wrong, it sure wouldn't be unusual, but it looked to me like Microsoft didn't have a more current download of Outlook Express than the 5.5 version I have. Is there any security feature with 5.5? How would I implement it? Or is there a newer version?

Kuanyin,

Internet Explorer 6 is available; it comes with Outlook Express 6; it can be downloaded at http://www.microsoft.com/windows/ie/default.asp.

IE/OE 5.5 Service Pack 2 is available at http://www.microsoft.com/windows/ie/downloads/recommended/ie55sp2/default.asp. To implement the Service Pack for 5.5, just download it, close all your other Windows programs, run the install routine, and you're done.

I use 6.0, and in general am happy with it. Far fewer problems than 5.X. I've tried several other browser and mail programs, including Netscape, Opera, and Eudora, and I have to admit that (ulp) I prefer the MS products.

[shadow=blue,left,300]--Mark[/shadow]

[Midnite]

The virus inserts random addresses that it finds in an infected user's address book into the FROM field. My email address, Midnite's, Luciaphil's, etc. were in the address book of an infected member of the board, which is why it appears to be coming from us, but in reality it's not.

She (poor thing is without her computer because of the virus) asked me to mention that she received infected emails with titles that mimicked previously sent emails, so the attachments can not only appear to be sent by someone you know but also the title can appear to be above suspicion too.  So if you receive an attachment but don't have an UPDATED antivirus program such as Norton, even if you know the sender and the title seems kosher, you may be risking infection by opening it.

[Mysterious Benefactor]

I use 6.0, and in general am happy with it. Far fewer problems than 5.X. I've tried several other browser and mail programs, including Netscape, Opera, and Eudora, and I have to admit that (ulp) I prefer the MS products.

Well, you know I don't agree with that. But the great thing is there's so much software around that there's usually something to appeal to everyone.

If you have the time sometime, Mark, I'd be curious to hear what you thought of Opera. I haven't checked it out, but I just read a review in one of the PC magazines that went so far as to claim the $39 for it is worth every cent. And one of the members of the YaBB development team raves about it on their community boards every chance he gets - particularly about how much faster it is compared to Netscape and IE. But I have a friend who got a copy of Opera 6.01 from a friend at work (but don't spread that around ), and he told me that he didn't like it at all. His main complaint was that it still has a lot of rendering glitches, meaning many of his favorite sites displayed in all sorts of odd ways in Opera (colors were off, Java buttons looked funny (some too big, some too small), background details disappeared, etc.) from the way they display in Netscape and IE. I can't say that made me too intrigued to try it out for myself.

And just for the record, in case anyone has forgotten:

I HATE MICROSOFT!!

There, that felt so good to get off my chest again. And it's the main reason this site is hosted on an Apache server running Linux rather than a server running Windows NT, 2000 or XP.

[Mark Rainey]

And just for the record, in case anyone has forgotten: I HATE MICROSOFT!!

MB, yer calm restraint is admirable.  

I have a friend who got a copy of Opera 6.01 from a friend at work (but don't spread that around ), and he told me that he didn't like it at all. His main complaint was that it still has a lot of rendering glitches, meaning many of his favorite sites displayed in all sorts of odd ways in Opera (colors were off, Java buttons looked funny (some too big, some too small), background details disappeared, etc.) from the way they display in Netscape and IE. I can't say that made me too intrigued to try it out for myself.

The latter is exactly the problem I had with it. It was fast and attractive, but there were some pages that were missing bits and pieces, sometimes crucial ones. For example, I do a lot of selling on Ebay; but using Opera, I couldn't even put up a listing because a few of the vital fields would not show up.

For that matter, at work, we have Netscape 4.5 on Mac G4s, which will allow me to read the boards here (albeit at a snail's pace), but I can't post because the message area is just a little box that is unusable.

Don't even get me started on Macs....

[shadow=purple,left,300]--Mark[/shadow]

[Mysterious Benefactor]

Quote:
>>And just for the record, in case anyone has forgotten: I HATE MICROSOFT!!<<

MB, yer calm restraint is admirable.  

That was me in restrained mode. You don't want to be around me when I really start to rail on about Microsoft! Just ask Midnite.

Thanks for your opinion on Opera. It makes me surer than ever that I don't want to try it until they get all the bugs worked out.