E-mail warning

Paul Mather paul at GROMIT.DLIB.VT.EDU
Sat Apr 27 11:01:19 EDT 2002 

Chris,

=> Yes, but I still know people who are convinced all they need do is not
=> open attatchments or execute any progs that come in this way.   What I'm
=> seeing is stuff that if you get it via IE or mailexpress or whatever the
=> MS mail thing is its going to infect you.   Neither of these are
=> attatchments.  They get in by pretending to be audio, so then if what
=> you get your mail with can play audio, and I think outlook express does,
=> its in.   (all this VB stuff in MS apps is an open door IMHO).   Also my
=> guess is most people here using MS are using IE set up to play
=> audio.....  you get my drift?   No anti-virus software is ever up to
=> date, I just have quick look at my mail with a text editor and I see
=> whats happening.   I see a music interest e-mail groop with virus
=> problem and I see virusses that pretend to be wav files.   Don't take a
=> genius to work out whats happening!

It's true it doesn't take a genius.  The mail you got was an attempted
infection of the W32.Klez worm.  Somebody must have your e-mail
address in their Windows address book, or in a file of one of the
types it scours for e-mail addresses, which is why you became the
lucky recipient of it.  Masquerading behind fake extensions is nothing
new.  (Viruses have been using them for ages in an attempt to get
people to think they're opening an image, movie clip, sound file,
etc.)  It think it's just chance you got one posing as audio, as it
poses as various random types.

As always, this worm is exploiting a very old hole for which there has
been a patch available for ages.  Trouble is, most users don't bother
to keep up with the patches (or even realise they need to), despite
the fact that "Windows Update" actually makes it very easy to do so.
I guess it's a matter of "it'll never happen to me..."

See http://www.symantec.com/avcenter/venc/data/w32.klez.gen@mm.html
for full details of how this worm propagates, what it infects, and
how to remove it, if you're interested.

It has been spreading a lot lately, and I've received several copies
the last few days, all masquerading under different subject headings
and attachments.  I don't see anything unusual or sinister in it,
beyond the fact that if you *are* infected, it is more difficult than
usual to remove (or so I hear).

Cheers,

Paul.

e-mail: paul at gromit.dlib.vt.edu

"Without music to decorate it, time is just a bunch of boring production
 deadlines or dates by which bills must be paid."
        --- Frank Vincent Zappa

More information about the boc-l mailing list