Warning: nasty variant of this new virus.
I just got sent a new copy of the Klez.E virus. The text it sends to the user is this:
-- Klez.E is the most common world-wide spreading worm.It's very dangerous by corrupting your files. Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it. We developed this free immunity tool to defeat the malicious virus. You only need to run this tool once,and then Klez will never come into your PC. NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV monitor maybe cry when you run it. If so,Ignore the warning,and select 'continue'. If you have any question,please mail to me <mailto:lady_ice@pacbell.net> .
If you follow these instructions, you'll be infected by the worm. Don't run ANYTHING from anyone you don't explicitly can guarantee as a valid source of help.
-- Chuq Von Rospach, Architech chuqui@plaidworks.com -- http://www.chuqui.com/
He doesn't have ulcers, but he's a carrier.
At 02:35 PM 4/23/02 -0700, Chuq Von Rospach wrote:
I just got sent a new copy of the Klez.E virus. The text it sends to the user is this:
plus, as i recall, there's a *second* virus in the payload as well. A two-fer if you will.
The sad this is, if you read the various klez codes, it's some guy bemoaning that he only makes $5k a year and has to support his parents, and is wondering if anyone will hire him now that he's demonstrated how good he is.
At 14:35 -0700 4/23/2002, Chuq Von Rospach wrote:
I just got sent a new copy of the Klez.E virus. The text it sends to the user is this:
-- Klez.E is the most common world-wide spreading worm.It's very dangerous by corrupting your files.
Ah...there's one now. It came in a text/html part, with quoted-printable encoding. The clever HTML which precedes the above material is (in its entirety) (I stuck the spaces into the first tag to try to avoid confusing some dumb mail client or overly-smart scanner).
<H T ML><HEAD></HEAD><BODY>
<FONT>Klez.E...
The social engineering in the English translation of the message isn't badly done.
File name in this sample is "Fy.bat" (which I suspect I'm interpreting correctly).
--John
John Baxter jwblist@olympus.net Port Ludlow, WA, USA
participants (3)
-
Chuq Von Rospach -
John W Baxter -
Ron Jarrell