Here are some notes that Symantec (the company who creates Norton
Anti-Virus) put together to help explain the confusion the Klez worm
causes.
=====================================
NOTES:
Because this worm uses a randomly chosen address that it finds on an
infected computer as the "From:" address, numerous cases have been
reported in which users of uninfected computers received complaints
that they sent an infected message to someone else.
For example, Linda Anderson is using a computer that is infected with
W32.Klez.H@mm. Linda is not using a antivirus program or does not
have current virus definitions. When W32.Klez.H@mm performs its
emailing routine, it finds the email address of Harold Logan. It
inserts Harold's email address into the "From:" portion of an
infected message that it then sends to Janet Bishop. Janet then
contacts Harold and complains that he sent her an infected message,
but when Harold scans his computer, Norton AntiVirus does not find
anything--as would be expected--because his computer is not infected.
If you are using a current version of Norton AntiVirus and have the
most recent virus definitions, and a full system scan with Norton
AntiVirus set to scan all files does not find anything, you can be
confident that your computer is not infected with this worm.
There have been several reports that, in some cases, if you receive a
message that the virus has sent using its own SMTP engine, the
message appears to be a "postmaster bounce message" from your own
domain. For example, if your email address is jsmith@anyplace.com,
you could receive a message that appears to be from
postmaster@anyplace.com, indicating that you attempted to send email
and the attempt failed. If this is the false message that is sent by
the virus, the attachment includes the virus itself. Of course, such
attachments should not be opened.
If the message is opened in an unpatched version of Microsoft Outlook
or Outlook Express, the attachment may be automatically executed.
Information about this vulnerability and a patch are available at http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
If your still feeling uneasy download their removal tool and run the
tool per the instruction provided. Not only will this tool remove
the worm if found but it will tell you if it doesn't find it.
As always keep your virus definition files up to date. The current
revision is dated 5/9/2002 rev. 22.
-----------------------------------------------
Bob Muir Bob_Muir@uncg.edu
Physics & Astronomy 336-334-3255
UNC Greensboro
P.O. Box 26170
Greensboro, NC 27402-6170
-----------------------------------------------
Life is NOT a dress rehearsal.
The trouble with reality is -- it's never the
way you imagine it! -- Moira (For Better or
for Worse)