View Full Version : about the "I-worm.keywo"

06-10-2002, 09:57 AM
A friend asked me for help Friday, When he started the computer the virus logo would come up and go away, then you could not go into the program, also you could not go on to internet,

I have a three point plan, to stop virus,
(1) first when I check my Email I check with a program called "mailwasher" to see details on the Email before I download anything. and can delete from the internet provider, so a email virus never see my computer.

(2) I have set my mail rules "don't download if the Email size is bigger than 10K"
then I had to increase that to 18K. This method has all ready stopped download Email attachments that the Email group I am in said had a virus to it, before I installed "mailwasher".

(3) You guest it, I keep my anti virus program up to date.

and my last words

I would prefer to delete a Email than too answer my question "What is in that Email" Internet has giving me plenty to read, why should I read that email?

06-10-2002, 10:43 AM
This was received Friday.
It did not come from add1@domain1.co.nz, nor did it come from John Smith.

The subject matter was off the senders system, with a spoofed "from" address, tied to a real name from the subject matter.

Interestingly it han no virus attached or embedded. I believe it is a Klez infestation on the senders machine.

As recipient@domain2 is not commonly used, I was able to figure out who would have it on their system, as well as addy1@domain1.

Turns out that person was on dial-up at precisely the time it was sent...

real names have been changed.

Return-Path: <addy1@domain1.co.nz>
Received: from mta2-rme.xtra.co.nz ([xxx.xx.xx.xxx])
by mta201-rme.xtra.co.nz with ESMTP
id <20021004053249.HQCB7085.mta201-rme.xtra.co.nz@mta2-rme.xtra.co.nz>
for <recipient@domain2.co.nz>; Fri, 4 Oct 2002 17:32:49 +1200
Received: from smtp2.clear.net.nz ([yyy.yy.yy.yy]) by mta2-rme.xtra.co.nz
with ESMTP
id <20021004053248.SKBH21165.mta2-rme.xtra.co.nz@smtp2.clear.net.nz>
for <recipient@domain2.co.nz>; Fri, 4 Oct 2002 17:32:48 +1200
Received: from default (zzz-zzz-zzz-zzz.dialup.clear.net.nz [zzz-zzz-zzz-zzz])
by smtp2.clear.net.nz (CLEAR Net Mail)
with SMTP id <0H3F00MU0ZDBXH@smtp2.clear.net.nz> for recipient@domain2.co.nz;
Fri, 04 Oct 2002 17:32:48 +1200 (NZST)
Date: Fri, 04 Oct 2002 17:32:23 +1200 (NZST)
Date-warning: Date header was inserted by smtp2.clear.net.nz
From: John Smith<addy1@domain1.co.nz>
Subject: Re: Japanese girl VS playboy
Message-id: <0H3F00MU1ZDBXH@smtp2.clear.net.nz>
MIME-version: 1.0
Content-type: multipart/alternative; boundary=----------KHRYK9QWD51H7LB

Content-Type: text/html;

I'm out of the office for the week 22-26 April.

I will receive your email on Monday 28th April.


John Smith
Company Name

Jim B
06-10-2002, 11:17 AM
It is the Klez virus no doubt about it.
The attachment was probably deleted by ISP filters

06-10-2002, 05:49 PM
I got an e-mail from someone I didn't know (I use OE). Had no attachment and subject was "Out of office reply". I deleted it without even opening it as I was a bit paranoid because of recent events. My question is this.. Is it only the attachment of an e-mail that one should be wary of, or is it good practise to delete any unusual e-mails with or without attachments?

06-10-2002, 06:52 PM
In OE (or any MS product) I think some can carry nasties in the HTML code that affect OE etc. Not seen any proof, but thats what is on some info sites.

Have a look at Symantec and McAfee sites, look up some of the variants and descriptor of how they operate.

Basically, if it MS its at risk it appears.

I have to "cleanse" the computer that sent me the above tonight, its likely to be a long job. It was aquired S/H and no CDs with it, if its W98, I cant help either, dont have that one.

Prime task is to get data off it. As its a laptop, I will try a PCMCIA CF adapter and take it off that way or use my 32 MB Floppy adapter.....late night I would say, with a break for the NRL.