"Hey, you sent me a virus," comes the angry message. "That's impossible!" you reply. Unfortunately with the new computer viruses, you could both be at least justified in your claim.

The Klez virus started spreading last April, but lately this virus has become the most common computer virus out there. Klez has become so prevalent because people who have it don't know they have it (or they are in denial), and people who get it really have no way to tell where it came from. You can be impacted by the Klez virus even if you don't have it on your machine, and a lot of the impact comes from mail that comes in response to someone else's Klez infestation.

Below is an image of an inbox beset by the Klez virus. There are a number of examples here that we will explain individually.

The first one we'll look at is the one with the subject "LCase(Npath)."

This is the classic Klez virus e-mail. Klez will come with a random subject message and a random attachment. In this case, the e-mail is protected by Norton Anti-Virus so the infected attachment was deleted and replaced by Norton with an attachment explaining that the virus was deleted. If the infected file remained - and was actually clicked on, Klez would infect the receiving computer, create more e-mails, and send itself from the infected computer to others found in the infected computer's Outlook Express address book.

Unlike some other e-mail borne viruses, Klez forges the "From" address in the outgoing mail with another address in the address book. The consequences of that are causing most of the confusion and a lot of calls to ISP help desks.

Here's an example. The Klez virus infects my machine. My address book contains the addresses of george@example.com and mary@example.com. Klez sends an e-mail from my computer to Mary, and while doing so forges the "from" address - making it appear the e-mail is coming from George when it's really coming from me. Mary sees George's address and thinks he sent the mail. George never did anything. No one knows where the e-mail really came from.

Let's look at another e-mail from the box above, The "undeliverable."

Somewhere out in Internet land, someone has the Klez virus. The Klez virus tried to send itself to a bad address. That bad address bounced the e-mail back. But it bounced back to the forged "from" address, not to the person who sent it. I didn't send this mail. I've never seen it, but it's in my e-mail box looking like it originally came from me anyway. Klez will look for addresses in your address book and in your web cache and send itself with wild abandon to anyone it can find.

Here's a third example from the above mailbox:

This is the destination mail server telling me that I sent someone a virus. I never sent this mail. I don't have a virus. Some other computer has the virus and forged my address in the "from" box of the outgoing e-mail - and the remote mail server computer can't tell the difference.

If you're getting these messages, you can't assume it's just someone else with the virus and you don't need to do anything. Not all variants of Klez actually spoof addresses. You may indeed be the culprit. If that is the case, you owe it to everyone you e-mail to check it out and make certain.

Symantec, the manufacturer of Norton Anti-Virus, has a free tool on their web site that will scan, identify and clean up many varieties of Klez. The directions may seem complex, but they're really not, and until you've scanned your system with this, or some other up-to-date anti-virus software, you can't really say that you're not the one spreading the virus.

Because of its source-concealing nature, Klez has become the most prevalent virus in the history of the Internet. Hopefully, it will die out like other viruses, but for that to happen users will have to learn how to avoid it. You should NEVER open an e-mail attachment from someone you don't know or that you're not expecting. All incoming e-mail and files should be scanned with some virus checking software.

The links below will tell you more about Klez and e-mail viruses in general:

Symantec Anti Virus Resource Center
W32.Klez.H@mm

TOP

aroundmaine.com Articles: Steering Clear of the Computer Virus May 2002
by Chad Gilley
Manager of Online Content
September 6, 2002