Holy Klez Batman!
What is the Klez virus? The Klez virus is an insideous little program that uses fake "From:" and "Subject:" fields in email to spread itself by attachment. I first noticed the Klez virus because I was getting mail bounced to my address that I did not send. At first I thought I might be infected by the Klez virus (it uses and old vulnerability in Outlook and Internet Explorer (if you haven't already, head to http://windowsupdate.microsoft.com, and click on 'Product Updates' to check the list for available Microsoft Office updates and PATCH YOUR SYSTEMS)). The Klez virus spreads as an attachment that doesn't necessarily need to be opened to run (if you've got an unpatched system). The attachment downloads the virus payload to your computer and begins to use it to send bogus and virus laden emails to various addresses stored on your hard drive. The bounces I was getting were failed attempts to spoof mail from me to potential recipients. Be wary of any strange emails these days (especially vicious is one variant of the Klez virus that purports to be bounced email with the original attached). Here's a Klez message opened with Notepad, note the signature Subject "japanese lass' sexy pictures":
[Begin Infected Message]
ÐÏࡱá > þÿ þÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿýÿÿÿ þÿÿÿ þÿÿÿþÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿR o o t E n t r y ÿÿÿÿÿÿÿÿ À F W²ŠSðÁ À _ _ n a m e i d _ v e r s i o n 1 . 0 ( ÿÿÿÿÿÿÿÿ =¬ŠSðÁ Ñ°ŠSðÁ _ _ s u b s t g 1 . 0 _ 0 0 0 2 0 1 0 2 * ÿÿÿÿÿÿÿÿÿÿÿÿ 0 _ _ s u b s t g 1 . 0 _ 0 0 0 3 0 1 0 2 * ÿÿÿÿ ( þÿÿÿþÿÿÿþÿÿÿþÿÿÿþÿÿÿþÿÿÿþÿÿÿþÿÿÿþÿÿÿþÿÿÿþÿÿÿþÿÿÿ þÿÿÿþÿÿÿþÿÿÿþÿÿÿ þÿÿÿþÿÿÿþÿÿÿþÿÿÿþÿÿÿþÿÿÿþÿÿÿþÿÿÿþÿÿÿþÿÿÿþÿÿÿ ! " # $ % & þÿÿÿþÿÿÿþÿÿÿþÿÿÿþÿÿÿþÿÿÿþÿÿÿþÿÿÿþÿÿÿþÿÿÿ1 þÿÿÿþÿÿÿþÿÿÿþÿÿÿþÿÿÿþÿÿÿþÿÿÿ9 : ; < = > ? @ A B C D þÿÿÿþÿÿÿG þÿÿÿþÿÿÿþÿÿÿþÿÿÿþÿÿÿM N þÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿV«ó)MUЩ| Éõ À F† À F €… ?… X - U I D L X - R C P T - T O ÷Íÿý €… ?… ÃwVü _ _ s u b s t g 1 . 0 _ 0 0 0 4 0 1 0 2 * ÿÿÿÿÿÿÿÿÿÿÿÿ & _ _ s u b s t g 1 . 0 _ 1 0 0 2 0 1 0 2 * ÿÿÿÿ _ _ s u b s t g 1 . 0 _ 1 0 0 F 0 1 0 2 * ÿÿÿÿÿÿÿÿÿÿÿÿ _ _ s u b s t g 1 . 0 _ 1 0 1 6 0 1 0 2 * ÿÿÿÿ _ _ s u b s t g 1 . 0 _ 1 0 1 7 0 1 0 2 * ÿÿÿÿ ÿÿÿÿ _ _ s u b s t g 1 . 0 _ 1 0 1 8 0 1 0 2 * ÿÿÿÿÿÿÿÿÿÿÿÿ _ _ s u b s t g 1 . 0 _ 0 0 1 A 0 0 1 E * ÿÿÿÿ _ _ s u b s t g 1 . 0 _ 0 0 3 7 0 0 1 E * ÿÿÿÿÿÿÿÿÿÿÿÿ ' IPM.Note Re:jkeane,japanese lass' sexy pictures SMTP:INFO@THOMASCIRCLESINGERS.ORG Re: ?+¤¾£?n ÝT Justin Keane SMTP jkeane@saint-vitus.com Justin Keane ?+¤¾£?n ÝT info SMTP info@thomascirclesingers.org _ _ s u b s t g 1 . 0 _ 0 0 3 B 0 1 0 2 * ÿÿÿÿ " _ _ s u b s t g 1 . 0 _ 0 0 3 D 0 0 1 E * ÿÿÿÿÿÿÿÿÿÿÿÿ _ _ s u b s t g 1 . 0 _ 0 0 3 F 0 1 0 2 * ÿÿÿÿ A _ _ s u b s t g 1 . 0 _ 0 0 4 0 0 0 1 E * ÿÿÿÿÿÿÿÿÿÿÿÿ _ _ s u b s t g 1 . 0 _ 0 0 4 1 0 1 0 2 * ÿÿÿÿ ? _ _ s u b s t g 1 . 0 _ 0 0 4 2 0 0 1 E * ÿÿÿÿÿÿÿÿÿÿÿÿ _ _ s u b s t g 1 . 0 _ 0 0 4 3 0 1 0 2 * ÿÿÿÿ A _ _ s u b s t g 1 . 0 _ 0 0 4 4 0 0 1 E * ÿÿÿÿÿÿÿÿÿÿÿÿ info ?+¤¾£?n ÝT Justin Keane SMTP <BR>jkeane@saint-vitus.com Justin Keane SMTP:JKEANE@SAINT-VITUS.COM<BR> SMTP:JKEANE@SAINT-VITUS.COM SMTP info@thomascirclesingers.org _ _ s u b s t g 1 . 0 _ 0 0 5 1 0 1 0 2 * ÿÿÿÿ _ _ s u b s t g 1 . 0 _ 0 0 5 2 0 1 0 2 * ÿÿÿÿÿÿÿÿÿÿÿÿ _ _ s u b s t g 1 . 0 _ 0 0 6 4 0 0 1 E * ÿÿÿÿ _ _ s u b s t g 1 . 0 _ 0 0 6 5 0 0 1 E * ÿÿÿÿÿÿÿÿÿÿÿÿ _ _ s u b s t g 1 . 0 _ 0 0 7 0 0 0 1 E * ÿÿÿÿ ' _ _ s u b s t g 1 . 0 _ 0 0 7 5 0 0 1 E * ÿÿÿÿÿÿÿÿÿÿÿÿ _ _ s u b s t g 1 . 0 _ 0 0 7 6 0 0 1 E * ÿÿÿÿ _ _ s u b s t g 1 . 0 _ 0 0 7 7 0 0 1 E * ÿÿÿÿÿÿÿÿÿÿÿÿ Re:jkeane,japanese lass' sexy pictures SMTP jkeane@saint-vitus.com SMTP jkeane@saint-vitus.com Received: from mail2.virtualscape.com [66.40.255.150] by Mail4.Virtualscape.com with ESMTP (SMTPD32-6.06) id A82DCB300FE; Wed, 24 Apr 2002 22:21:33 -0400 Received: from Tvg [208.59.78.147]_ _ s u b s t g 1 . 0 _ 0 0 7 8 0 0 1 E * ÿÿÿÿ _ _ s u b s t g 1 . 0 _ 0 0 7 D 0 0 1 E * ÿÿÿÿÿÿÿÿÿÿÿÿ € _ _ s u b s t g 1 . 0 _ 0 C 1 9 0 1 0 2 * ÿÿÿÿ ' ? _ _ s u b s t g 1 . 0 _ 0 C 1 A 0 0 1 E * ÿÿÿÿÿÿÿÿÿÿÿÿ ( by mail2.virtualscape.com<BR> (SMTPD32-6.06) id A6DCAE100D6; Wed, 24 Apr 2002 22:15:56 -0400<BR> From: info <info@thomascirclesingers.org> To: jkeane@saint-vitus.com<BR> Subject: Re:jkeane,japanese lass' sexy pictures MIME-Version: 1.0<BR> Content-Type: multipart/alternative; boundary=NRnewm09KsgpS Message-Id: <200204242215734.SM00215@Tvg> Date: Wed, 24 Apr 2002 22:16:00 -0400 X-RCPT-TO: <jkeane@saint-vitus.com> X-UIDL: 268856706<BR> Status: U<BR> ?+¤¾£?n ÝT info SMTP info@thomascirclesingers.org info SMTP:INFO@THOMASCIRCLESINGERS.ORG SMTP info@thomascirclesingers.org <BR> jkeane@saint-vitus.com jkeane,japanese lass' sexy pictures _ _ s u b s t g 1 . 0 _ 0 C 1 D 0 1 0 2 * $ ÿÿÿÿ ) " _ _ s u b s t g 1 . 0 _ 0 C 1 E 0 0 1 E * ÿÿÿÿÿÿÿÿÿÿÿÿ * _ _ s u b s t g 1 . 0 _ 0 C 1 F 0 0 1 E * ! # ÿÿÿÿ + _ _ s u b s t g 1 . 0 _ 0 E 0 2 0 0 1 E * ÿÿÿÿÿÿÿÿÿÿÿÿ , _ _ s u b s t g 1 . 0 _ 0 E 0 3 0 0 1 E * " ( ÿÿÿÿ - _ _ s u b s t g 1 . 0 _ 0 E 0 4 0 0 1 E * ÿÿÿÿÿÿÿÿÿÿÿÿ . _ _ s u b s t g 1 . 0 _ 0 E 1 D 0 0 1 E * % ' ÿÿÿÿ / $ _ _ s u b s t g 1 . 0 _ 1 0 1 3 0 0 1 E * ÿÿÿÿÿÿÿÿÿÿÿÿ 0 s <HTML><HEAD></HEAD><BODY> <iframe src=cid:X4kcJ39766b height=0 width=0> </iframe> <FONT></FONT></BODY></HTML> <200204242215734.SM00215@Tvg> O÷ÏÌ¥ŸgH€JO:_È]l mail.saint-vitus.com 00000001jkeane@saint-vitus.com 268856706 <jkeane@saint-vitus.com> _ _ s u b s t g 1 . 0 _ 1 0 3 5 0 0 1 E * & * ÿÿÿÿ 2 _ _ s u b s t g 1 . 0 _ 3 0 0 B 0 1 0 2 * ÿÿÿÿÿÿÿÿÿÿÿÿ 3 _ _ s u b s t g 1 . 0 _ 8 0 0 1 0 0 1 E * ) , ÿÿÿÿ 4 _ _ s u b s t g 1 . 0 _ 8 0 0 2 0 0 1 E * ÿÿÿÿÿÿÿÿÿÿÿÿ 5 _ _ s u b s t g 1 . 0 _ 8 0 0 3 0 0 1 E * + . ÿÿÿÿ 6 _ _ s u b s t g 1 . 0 _ 8 0 0 4 0 0 1 E * ÿÿÿÿÿÿÿÿÿÿÿÿ 7 _ _ p r o p e r t i e s _ v e r s i o n 1 . 0 0 - / ÿÿÿÿ 8 0 _ _ r e c i p _ v e r s i o n 1 . 0 _ # 0 0 0 0 0 0 0 0 : ÿÿÿÿÿÿÿÿ1 W²ŠSðÁ W²ŠSðÁ @ 0 0¨}‰SðÁ@ 0 0¨}‰SðÁ ÷ ô 0ѧw E E & 6 7 ( @ 9 09$ÿëÁ; " Ð ? A Ð @ A ? Ð B C A Ð D Q Ð R Ð d e p ' u v w x } € ? Ð " Ï @ €ô´êÿëÁ s 5 0 Ï Þ? ¯o `b € € € € € = $ E ?+¤¾£?n ÝT jkeane@saint-vitus.com SMTP jkeane@saint-vitus.com _ _ s u b s t g 1 . 0 _ 0 F F 6 0 1 0 2 * ÿÿÿÿÿÿÿÿÿÿÿÿ E _ _ s u b s t g 1 . 0 _ 0 F F F 0 1 0 2 * 0 3 ÿÿÿÿ F K _ _ s u b s t g 1 . 0 _ 3 0 0 1 0 0 1 E * ÿÿÿÿÿÿÿÿÿÿÿÿ H _ _ s u b s t g 1 . 0 _ 3 0 0 2 0 0 1 E * 2 5 ÿÿÿÿ I jkeane@saint-vitus.com SMTP jkeane@saint-vitus.com SMTP:JKEANE@SAINT-VITUS.COM ÿ K Ï 0 0 0 0 Ï ö Ï 0 I~1 _ _ s u b s t g 1 . 0 _ 3 0 0 3 0 0 1 E * ÿÿÿÿÿÿÿÿÿÿÿÿ J _ _ s u b s t g 1 . 0 _ 3 0 0 B 0 1 0 2 * 4 6 ÿÿÿÿ K _ _ p r o p e r t i e s _ v e r s i o n 1 . 0 0 ÿÿÿÿÿÿÿÿÿÿÿÿ L ˆ ÿÿÿÿÿÿÿÿÿÿÿÿ <p> <FONT></FONT></BODY></HTML>
Obviously suspicious, the <iframe> tag is really worrisome since that's a favorite way to bypass Outlook security. If you're using a text based mail client (like Madirish webmail) you're safe of course. The best way to protect yourself from Klez is to make sure you've got an up to date virus checker. Symantec has also released a Klez checker tool and instructions for use at:
http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.removal.tool.html
For more information on the Klez virus take a look at:
http://www.tripwire.com/press/integrity_alerts/ia030602b.cfm
http://antivirus.about.com/library/blklez.htm