Chris L

Bit of a problem:

Sal received an email from Richard Askew this morning that she had unknowingly sent him an email with the title - "Welcome to my hometown". This I know refers to the W32/Klez.h@MM virus. This would appear to have originated from Sal's 'Scoobychick@scoobynet.co.uk' email address.

What we are not sure is where it came from. I run McAfee AV Clinic on the PC at home. I did a full system sweep last week and it found nothing. I know that this is a clever virus and it can turn itself off to avoid detection, so I have been following the instructions on the McAfee Clinic homepage to do a manual sweep, just to check.

I've had a look at the suggested registry entries and there is no reference to the infected file. I've also checked to make sure I'm running the latest DAT files.

I was trying to run the manual sweep from a command prompt following the instructions for W2K. In these it asks you to open the following path:

cd \progra~1\common~1\networ~1\viruss~1\4.0.xx

The problem is I don't have a 'networ~1' sub directory (I'm assuming this would refer to networked drives or something similar (which I don't have)?) Also I can't find the 'scan.exe' file that the instructions refer to aswell.

My question is: Is there another way of running the manual sweep to check our PC?

Details of the McAfee instructions can be found here

Any help appreciated.

Cheers
Chris

HHxx

Its will probably be very hard to track down the source of the email, the virus changes the senders address to a random one from the victims address book.

You could look in the email header and try to work out from which isp the email came from. Thus, maybe, finding out the actual sender and warn them.

As for removing it, I have no idea, sorry.

H

JackClark

H is correct. Even if your version of McAfee is a month or more out of date it would pick up this 'pain in the butt' virus.

There are infected mails floating around that appear to come from my work email address as well. I can assure you that my machine is clean although it did cause me a major headache.

Scoobychick

iTrader: (1)

Cheers for the prompt replies guys So it looks like it's not come from me after all, phew. We thought it was strange as our av is all bang up to date.

Cheers

Sal.

Chris L

Thanks Guys - pain in the **** is about right

Cheers
Chris

ChrisB

Just had the same happen to me...

The message sender was
Scooby@cxi.org.uk

The message was titled Hello,meeting notice
The message recipients were
GraemeF@teletext.co.uk

The message date is Sun, 12 May 2002 14:14:44 +0100
Found the W32/Klez.h@MM virus !!!

Impressive considering I was about 20 miles from my PC sat in the front garden at Michelle's enjoying the sun.

Does Klex pull addresses from your IE Cache? That's my published ScoobyNet addy and not one I use a lot.

DominicA

KLEZ is a very tricky one to pinpoint. We had one arrive here that got stopped. Was pretending to be sent from the recipient here and contained text that he had put up on a BBS about 2 years ago!! The headers were all full of crap. Latest patterns will protect you.

JackClark

Chris,

"It pulls them from files alright, who cares what files!!" Is the moody Monday answer I was given

Scoobychick

iTrader: (1)

Chris

Yep same thing here, I apparantly sent one to myself when I was nowhere near my pc too

Had another today from someone I don't know, deleted it without reading tho'.

What a git of a virus [img]images/smilies/mad.gif[/img]

Sal