From: Pat Asher <>
Subject: Re: [FreeHelp] Fw: E., Atlanta,
Date: Mon, 01 Jul 2002 16:33:05 -0400
References: <5.1.0.14.0.20020701134826.02871ec0@pop3.norton.antivirus>
In-Reply-To: <003d01c22133$5ea6beb0$12045618@yourw92p4bhlzg>
At 03:13 PM 7/1/2002, you wrote:
>Hi Pat- Using the pretence that this is rootsweb correspondence should be
>of great concern to rootsweb. As I am apparently not the only one affected
>will rootsweb follow up or should I do so independently?
Hi,
Since I have received several private messages (my apologies to Norm for
using his as an example) asking about the Klez virus, I am posting this to
the list so anyone who is not aware of how the Klez virus works will
understand.
The virus is not coming from RootsWeb. It is sent to you privately by the
infected computer. There are several ways the virus can find your address:
1) Your email address appears in the sender's address book.
2) The infected computer finds an unread message from you in the inbox.
3) Your email address appears on a web page that is cached on the infected
computer.
4) Your email address appears in an email message (perhaps an old one)
that is stored on the infected computer.
Depending on where the virus finds your address, it may use the subject
line or copy part of a message on the infected computer, in an attempt to
appear to be a legitimate message. Unfortunately, there is nothing
RootsWeb can do to stop them since the mail does not originate with
RootsWeb, or pass through the RootsWeb mail servers. Your best defense is
to keep your AV program and virus definitions up-to-date; and set your
program to scan all incoming email. If your ISP has the option, don't
download any attachment from someone you don't know, or that you were not
expecting.
The W32.Klez virus (there are several variants) spoofs/forges the "From"
address by inserting an address it finds on the infected computer. It then
sends copies of itself to addresses it finds in the address book of the
infected computer. The actual sender can sometimes be determined by
viewing the full expanded headers of the message. The "Return Path" or
Reply to" address will be different than the "From" address. Instructions
for viewing full headers in many popular email programs are here:
http://helpdesk.rootsweb.com/listadmins/headersfull.html
The Klez virus has been active for several months now, and some versions
have mutated so they no longer contain attachments and are no longer
infectious. Other variants are even more dangerous, because your computer
can become infected simply by viewing the message in your "preview" pane.
Here is some info from Symantec about the Klez virus:
http://securityresponse.symantec.com/avcenter/venc/data/ type="text/javascript">DisplayMail('mm.html','w32.klez.h');
This HelpDesk FAQ has tips for protecting yourself from viruses, and links
to some popular AV software sites.
http://helpdesk.rootsweb.com/announce.html#virus
If you suspect you might have unwittingly been infected, remember that the
virus may have disabled any anti-virus software you have on your
computer. HouseCall is an online AV scanner that will let you know if that
has happened.
http://housecall.antivirus.com/pc_housecall/
Pat