WARNING

Status
Not open for further replies.

Trogg

the bouncer
Staff member
Site Supporter
Joined
Aug 11, 2001
Messages
27,728
Hi All

Just recieved a nice little e-mail & thought i'd better warn you lot.
If you recieve a mail with the heading klez family virus or klez worm then delete it ASAP!!

Below are a couple of domain numbers that have shown up on the norton report for the mail.
193.237.35.22
194.217.242.39
return-Path: <sales@haiths.com>
reevo88.freeserve.co.uk>


I've left a few bits n pieces out but you can get the gist of it.

It asks you to click on a new link to install the only anti virus solution for the virus (it claims all other AV programs can't detect it!!).

I'm only making a rough guess here but i reckon to click on the link is to unleash the virus on your system. icon_smile_sad.gif



Alan
You've just been moderated
 

MALC

Regular member
Joined
Aug 11, 2001
Messages
6,350
Cheers big Al

Warning duely noted.


Malc
Fish with Friends @ MaggotDrowning.com bounce.gif
 

Alnath

Regular member
Joined
Apr 18, 2002
Messages
1,069
The IP adderesses you posted resolve to:

inetnum: 193.237.0.0 - 193.237.255.255
netname: UK-DEMON-970724
descr: DEMON INTERNET
descr: Provider Local Registry
descr: allocation for very small assignments
descr: for static dial-up
descr: contact info refers to ISP
descr: DEMON
country: GB
admin-c: DHG5-RIPE
tech-c: DIHD-RIPE
status: ALLOCATED PA
remarks: http://www.demon.net/
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: AS2529-MNT
mnt-routes: AS2529-MNT
changed: hostmaster@ripe.net 19970724
changed: hostmaster@ripe.net 19970725
changed: hostmaster@ripe.net 19970729
changed: hostmaster@ripe.net 19980603
changed: hostmaster@ripe.net 19981109
changed: hostmaster@ripe.net 19990917
changed: hostmaster@ripe.net 20001030
changed: hostmaster@ripe.net 20010212
changed: hostmaster@ripe.net 20010426
changed: hostmaster@ripe.net 20011120
source: RIPE

route: 193.237.0.0/16
descr: DEMON-INT-NET
origin: AS2529
remarks: Send Abuse reports to abuse@demon.net
mnt-by: AS2529-MNT
changed: sam.bradford@demon.net 20000714
source: RIPE

role: Demon Hostmaster Group
address: Demon Internet / Thus plc
address: Gateway House
address: 322 Regents Park Road
address: Finchley
address: N3 2QQ London
address: UNITED KINGDOM
phone: +44 845 272 0666
fax-no: +44 20 8371 1285
e-mail: hostmaster@demon.net
admin-c: AP6129-RIPE
admin-c: MB4
admin-c: JS18376-RIPE
admin-c: WD2653-RIPE
tech-c: PDN-RIPE
tech-c: MD1601-RIPE
tech-c: BB837-RIPE
tech-c: LD127-RIPE
tech-c: SAMB
nic-hdl: DHG5-RIPE
notify: hostmaster@demon.net
mnt-by: AS2529-MNT
changed: sam.bradford@demon.net 20010410
changed: markd@demon.net 20020228
source: RIPE

role: Demon Internet Helpdesk
address: Demon Internet / Thus plc
address: Gateway House
address: 322 Regents Park Road
address: Finchley
address: N3 2QQ London
address: UNITED KINGDOM
remarks: 24x7 Operations Helpdesk
phone: +44 845 272 0666
fax-no: +44 20 8371 1167
e-mail: dsoc@demon.net
admin-c: DHG5-RIPE
tech-c: AF10693-RIPE
tech-c: JB222-RIPE
nic-hdl: DIHD-RIPE
notify: hostmaster@demon.net
mnt-by: AS2529-MNT
changed: sam.bradford@demon.net 20011016
changed: sam.bradford@demon.net 20011019
source: RIPE

inetnum: 194.217.242.0 - 194.217.242.255
netname: DEMON-INT
descr: Demon Internet Limited
descr: Office/Internal Machines
country: GB
admin-c: DHG5-RIPE
tech-c: DIHD-RIPE
status: ASSIGNED PA
mnt-by: AS2529-MNT
changed: hostmaster@demon.net 19990812
changed: annap@demon.net 20011018
source: RIPE

route: 194.217.0.0/16
descr: DEMON-INT-NET
origin: AS2529
remarks: Send Abuse reports to abuse@demon.net
mnt-by: AS2529-MNT
changed: sam.bradford@demon.net 20000316
source: RIPE

role: Demon Hostmaster Group
address: Demon Internet / Thus plc
address: Gateway House
address: 322 Regents Park Road
address: Finchley
address: N3 2QQ London
address: UNITED KINGDOM
phone: +44 845 272 0666
fax-no: +44 20 8371 1285
e-mail: hostmaster@demon.net
admin-c: AP6129-RIPE
admin-c: MB4
admin-c: JS18376-RIPE
admin-c: WD2653-RIPE
tech-c: PDN-RIPE
tech-c: MD1601-RIPE
tech-c: BB837-RIPE
tech-c: LD127-RIPE
tech-c: SAMB
nic-hdl: DHG5-RIPE
notify: hostmaster@demon.net
mnt-by: AS2529-MNT
changed: sam.bradford@demon.net 20010410
changed: markd@demon.net 20020228
source: RIPE

role: Demon Internet Helpdesk
address: Demon Internet / Thus plc
address: Gateway House
address: 322 Regents Park Road
address: Finchley
address: N3 2QQ London
address: UNITED KINGDOM
remarks: 24x7 Operations Helpdesk
phone: +44 845 272 0666
fax-no: +44 20 8371 1167
e-mail: dsoc@demon.net
admin-c: DHG5-RIPE
tech-c: AF10693-RIPE
tech-c: JB222-RIPE
nic-hdl: DIHD-RIPE
notify: hostmaster@demon.net
mnt-by: AS2529-MNT
changed: sam.bradford@demon.net 20011016
changed: sam.bradford@demon.net 20011019
source: RIPE


Demon are one of the longest and most respected ISPs in the UK so i doubt infact i know 100% the virus is not related to them, if indeed a virus is to be found. The domain name HAITHS.COM is registered to MELBOURNE IT LTD. If there website is hosted on Demons servers and you suspect a wrong doing send an email to abuse@demon.net

John
Its not what you have got, it's how you use it icon_smile_wink.gif
 

Trogg

the bouncer
Staff member
Site Supporter
Joined
Aug 11, 2001
Messages
27,728
Thanks for that John

I believe the person who's name was attached to the mail probably doesn't even know he's sent it.

I have had a few mails from people who have been "infected" & the first thing they knew about it was mails from upset people who have mailed them back asking why they've been sent the virus. (even had it happen to me when i neglected to update my AV prog) icon_smile_sad.gif

Alan
You've just been moderated
 

Peter

'Mugger'
Staff member
Site Supporter
Joined
Sep 18, 2001
Messages
20,169
Cheers all,
Much obliged. thumbsup.gif

Peter.

Make Friends,Go Maggotdrowning.
 

Alnath

Regular member
Joined
Apr 18, 2002
Messages
1,069
Without teaching my granny to suck eggs, everyone should chech there AV scanners are checking Email. I love AVG but by default it doesnt use the Outlook express plug in, the resident scanner is still active but the email scanner isnt.

John
Its not what you have got, it's how you use it icon_smile_wink.gif
 

Dave

Red Leader
Staff member
Site Supporter
Joined
Aug 8, 2001
Messages
61,088
W32.Klez.gen@mm is a mass-mailing worm that will send itself to all email addresses in the Microsoft Outlook Address Book.

The subject and attachment name of incoming emails are randomly chosen. The attachment will have one of the following extensions: .bat, .exe, .pif or .scr.

The worm may include a virus that will destroy all files on the 13th of March and September.

For more information Click Here
and for a removal tool if you suspect you are infected Click Here

I'm sure it's the one that you're on about Alan and if so it has now been classified as a Class 4 in other words a very nasty one,

Dave
 

Alnath

Regular member
Joined
Apr 18, 2002
Messages
1,069
Another favourite to look out for is the use of double filename extensions. People are slowly becoming aware to look out for the extensions dave mentiond but the crafty beggers are doing things like "asong.mp3.vbs" the visual basic extention .vbs doesnt show and you think its a normal MP3 another example could be "apicture.jpg.exe" Windows shows the first extention as part of the filename because it isnt an extention at all but to us it looks like one, the real extention stays hidden so you open an unsafe file thinking its ok. Make sure Outlook Express is set to "restricted Zone" in the tools/options/security.

John
Its not what you have got, it's how you use it icon_smile_wink.gif
 

norm

Regular member
Joined
Mar 17, 2002
Messages
10,596
CHEERS
just changed my outlook to restricted zones.
have people got nowt better to do than try to damage someone or something,

i have norton antivirus and it stops about 6 attacks a day. i dont know how to tell if it is checking my e-mail but it does check things
and stops attacks witch every one on the net will be getting every time they are on. such as

back door sub 7 trojan horse
back oriface 2000 trojan horse
hack a tack trojan horse
ultors trojan horse
deep throat trojan horse

all of witch can be picked up on any site you are on




it isn`t the size of the tiddler that counts
 

Alnath

Regular member
Joined
Apr 18, 2002
Messages
1,069
May i suggest you try the cleaner from http://www.moosoft.com it looks for trojans and nothing else. The program is shareware and works for only 30 days i think but it is worth downloading and running just to make sure your system is clean.

John
Its not what you have got, it's how you use it icon_smile_wink.gif
 

Trogg

the bouncer
Staff member
Site Supporter
Joined
Aug 11, 2001
Messages
27,728
One thing i find disgusting is sites that will give you the "patch or crack" for shareware stuff.

I mean after you've downloaded (or loaded from a free disc) the program all you have to do is go to a site like this one enter the name etc of the program & it will give you the "crack or patch" to make the program a full one.

Disgusting it is & anyone who uses that site should be ashamed of themselves icon_smile_blush.gif

Alan
You've just been moderated


Edited by - Trogg on 30 April 2002 1:01:41 PM
 

norm

Regular member
Joined
Mar 17, 2002
Messages
10,596
alnath
loaded that one you said
at first no probs loaded ,installed, found 1 trogen and cleaned it
no probs untill
you try to do something else
1.mouse would not work prop
2.unable to dail internet so could not get connected
3. error has occoured kept comming up
4. nothing would work (very slow)

so i just uninstalled it and every thing came back to normal
did you have this prob?

it isn`t the size of the tiddler that counts
 

Alnath

Regular member
Joined
Apr 18, 2002
Messages
1,069
I didnt have that problem mate but i didnt have all the cleaner active stuff enabled, sorry i should have mentiond to deactivate all the cleaner active stuff as it checks every thing and slows your PC down. I wouldnt worry too much as you are now trojan free and your PC is ok again. Just keep your fingers crossed that the trogan you had didnt phone home with anything off your PC, mind your firewall should have blocked it SO LONG as you denied it access. The problem is Trojans are embedded in other programs so by there nature they harder to pick up, you said you use Norton which is the choice of many people and this failed to pick it up and clean it. Personaly i hate Norton, its bloated and heavy on system resources (only a personal opinon so no flames please) I would rather use AVG and the cleaner.

If you use out of that crack site (not that you would of course cos its very naughty) thats the first thing you should scan for worms/virus/trojans. icon_smile.gifJohn
Its not what you have got, it's how you use it icon_smile_wink.gif
 
Status
Not open for further replies.
Top