LINUX GAZETTE

[ Prev ][ Table of Contents ][ Front Page ][ Talkback ][ FAQ ]

"Linux Gazette...making Linux just a little more fun!"


The Back Page


Wacko Topic of the Month


Klez.E worm, bad bad dude

Contributed By Iron

Normally, I don't think much about spam. It's easy to spot it in a mail index. Spam just doesn't have plausable Subject: lines. Too many capital letters, too many '$' and other symbols, and words that no person would put in a subject; e.g., "Here's the info you asked about."

Three weeks ago, I started receiving a lot of binary attachments. After two weeks of seeing the same subject lines over and over, I started keeping count. 241 messages in 9 days, or 32 MB. Ironically, the culprit itself revealed its identity. One of the subjects was "W32.Klez.E removal tools". I headed to www.datafellows.com, searched for "Klez.E", and sure enough, it's a worm.

http://www.europe.f-secure.com/v-descs/klez_e.shtml

It's quite a complicated little beastie. It has a large pool of subjects to choose from and also incorporates phrases it finds in files. It has a built-in SMTP client and sends itself to whoever it finds in your Outlook address book, pretending to be From: somebody else in your address book.

Linux users of course can't get infected, although it can leak onto Linux mailing lists and pretend to be From: a Linux user. But Windows users who are unlucky enough to run the program or let IE or Outlook automatically execute it will have their documents overwritten with random data, their anti-virus programs disabled, and their address book harvested. Often it pretends to be an audio file, exploiting a bug in some Windows programs that automatically executes audio attachments.

In the past week, the worm has forged the addresses of both Alex (former Answer Gang member and column writer) and the Editor Gal (Heather), and sent three messages to a linux-list recipient claiming to be From: linux-list. Interestingly, the addresses it chose for Heather and the linux-list person were obsolete.

I have no idea why the Gazette address has the honor of receiving 99% of these critters.

What burns me up was not only the bandwidth but the sneaky way it tries to trick you into running the attachments, claiming to be a Win XP patch (that's what first got me suspicious) or an anti-virus tool against itself. Some of its messages include the URLs of real anti-virus companies as a way to sound legitimate.

A Win XP patch
Your password
A nice game
	This is a very  nice game<br>
	This game is my first work.<br>
	I hope you would enjoy it.
A special excite game
If you're not connected to the Internet
W32.Klez.E removal tools
	<FONT>Sophos give you the W32.Klez.E removal tools<br>
	W32.Klez.E is a  dangerous virus that spread through email.<br>
	<br>
	For more information,please visit http://www.Sophos.com</FONT>
Worm Klex.E immunity
        <FONT>Klez.E is the most common world-wide spreading worm.It's very
        dangerous by corrupting your files.<br> Because of its very smart
        stealth and anti-anti-virus technic,most common AV software can't
        detect or clean it.<br> We developed this free immunity tool to defeat
        the malicious virus.<br> You only need to run this tool once,and then
        Klez will never come into your PC.<br> NOTE: Because this tool acts as
        a fake Klez to fool the real worm,some AV monitor maybe cry when you
        run it.<br> If so,Ignore the warning,and select 'continue'.<br> If you
        have any question,please <a href=3Dmailto:[email protected]>mail to
        me</a>.</FONT>
W32.Elkern  removal tools
        W32.Elkern is a dangerous virus that can infect on Win98/Me/2000/XP.
        Trendmicro give you the W32.Elkern removal tools
        For more information,please visit http://www.Trendmicro.com
Hi,gazette,darling
Introduction on ADSL
False) window.parent.GoNext()
Tooltips.style.visibility
CELLSPACING
	Content-Type: audio/x-wav; name=height.bat
So cool a flash,enjoy it
	name=Nt324-00.doc
A  IE 6.0 patch
	name=sidprod1[1].htm
Password.  Make sure you remove the cookies by
Cutest subject: "there's a solution". It sounds like a religious evangelist, but with the vagueness of a fortune cookie.

First non-English subjects: "Impostati", "Bliver brugt i Netscape".

Ben sent in this procmail stanza that catches all messages with Windows binary attachments and sends them to /dev/null:

# Goodbye to all the fools sending me "executable" attachments
:0B:
* name=.*(\.exe$|\.scr$|\.pif$)
/dev/null
I wrote a recipe that catches the subject lines used by this worm, with double spaces after the words it uses double spaces after. It puts the messages in I.worm in my mail directory. ("I." is the common prefix for my incoming mailboxes.)

misc/backpage/klezkiller.procmailrc.txt

To generate the subject lines:

grep -i 'Subject:' spambin | tr A-Z a-z | sed 's/subject: //' | sort -u >victims

I've also started temporarily moderating linux-list, where it also tried to spread. And I've been collecting these critters in a mailbox and sending complaints to the postmaster@ and abuse@ the relay ISPs, and blocking mail from those that don't respond.

Breen Mullins writes:

Yeah, we're seeing it. This is one mean little sucker. It has the usual features of an Outlook-based worm, with the charming addition that it uses a random address from the victim's address book as the From: address when it tries to propogate itself. When you're accused of spreading Windows worms from your linux box, that's why.

More from Symantec: http://www.symantec.com/avcenter/venc/data/[email protected]

The colleague who answers the support@ mailbox here reports receiving 282 of these in 5 days.

Elkern virus

The worm also drops a virus, Elkern. http://www.europe.f-secure.com/v-descs/elkern.shtml. One curious fact:
Curiously, "the virus doesn't work on any operating system except Windows 98 because of a serious bug in its code. Due to some blind luck the virus also works on Windows 2000... When the main code gets control, the first thing is does is calls the IsDebuggerPresent API function. But the virus calls this function using a fixed API address and this address is only valid for Windows 98. On all other systems the virus just crashes. ... [Stuff about registry keys it sets] ... On Windows NT this doesn't happen because the virus crashes. Due to a dumb luck the virus doesn't crash on Windows 2000 though it calls a non-existing API address. "

Didier Heyden writes:

Trendmicro/antivirus.com describes the worm's attack scheme:

It does not require the email receiver to open the attachment for it to execute. It uses a known vulnerability in Internet Explorer-based email clients to execute the file attachment automatically. This is also known as Automatic Execution of Embedded MIME type.

The infected email contains the executable attachment registered as content-type of audio/x-wav or sometimes audio/x-midi so that when recipients view the infected email, the default application associated with audio files is opened. This is usually the Windows Media Player. The embedded EXE file cannot be viewed in Microsoft Outlook."

However Trendmicro also pretends that the thing (at least the `E' and `H' variants) composes the message body "randomly"... The `H' variant is supposed to contain the following strings:

Win32 Klez V2.01 & Win32 Foroux V1.0
Copyright 2002,made in Asia
About Klez V2.01:
1,Main mission is to release the new baby PE virus,Win32
Foroux
2,No significant change.No bug fixed.No any payload.
About Win32 Foroux (plz keep the name,thanx)
1,Full compatible Win32 PE virus on Win9X/2K/NT/XP
2,With very interesting feature.Check it!
3,No any payload.No any optimization
4,Not bug free,because of a hurry work.No more than three
weeks from having such idea to accomplishing coding and
testing"
The sender `from:' address seems to be taken randomly either from the infected user's address book (which means that the apparent originator is not necessarily infected her/himself), or from a set of hardcoded addresses.


Not The Answer Gang


Bill Danzon:

Well I never! I didn't expected such a prompt reply. Don't you have to tack, jib or shiver your timbers occasionally on that boat of yours?

Ben Okopnik:

Nah. These days, it's all done by computer. I just sit back and watch as the boat crashes into, erm, well, I never did trust them damn machines anyhow. What were we talking about?

Bill:

Early tomorrow I will be leaving home and driving 1000 miles to the Belgium coast to catch a 14-hour ferry to the north of England and don't know when I'll be returning. Pure coincidence, I assure you. No. Really. It has nothing whatsover to do with being threatened by "dustbunnies", whatever they are.

Iron:

Better go to Scotland. If it's cold enough that tomatoes don't grow up there, maybe you're safe from dust bunnies too. Dust bunnies are those clumps of dust that accumulate behind and underneath furniture. Sounds like there might be a dust bunny convention under your sofa.

Thomas Adam:

On behalf of the English people who are resident at TAG (including myself) -- welcome to England, Bill.

Ben:

Yikes. I didn't know that there _was_ a 1000 mile stretch you could drive in Europe...

I'm just kidding, of course. I mean, at least there the Le Mans... That's a strange highway, though; after a while, the faces in the crowds along the side of the road (and *boy* are they big crowds - you'd think they've never seen a car before!) begin to look _really_ familiar, like they were *repeating* or something. And there's no place to pull over and buy a hot dog, either.

Thomas:

That would be too "American" -- :-) Indeed, there is always a nice little tea room, where one can get their "tea and scones"!! :-)

Ben:

*And* when I got off it, it looked like the same town I started in! What a bore. I'm never going back there again.

Thomas:

Lol, how so, Ben?? You mean you got fed up of the thatched roofs...but I thought you Americans liked all the picturesque scenary? -- No?? You did watch "Inspector Morse"??

Ben:

Oh, and if you're going to England, be careful: there's supposed to be this fella there named Thomas Adam, and he... Oh, - *hi*, Thomas! So nice to see you! I was just telling Bill here what a great country you have, with flush toilets and payphones, even... I've already arranged the low, low down payment and a great interest rate, and he sounds interested. <grin>

Thomas:

What? didn't your Mum (oh....sorry "mom") teach you where the pull-chain was?? :-)

Ben:

Nah; I was too busy learning to spell "tire", "maneuver", and "apothegm" the right way. :) I figured out pull-chains on my own.

Thomas:

Easy Ben. Hows the sunglasses, incidentally??

Ben:

Still dark and menacing as ever, thanks.

Thomas:

--Mr. Thomas Adam (English, by the way!!)

Ben:

<blink, blink> Really? There I was, thinking that the county of Dorset was on Mars. Silly me...

Sendmail for kids

I'm not old enough to use Linux yet . But I'm trying to configure the Linux ( send mail) to work as mail relay and I couldn't. where can I find clear documentation for configuring the Linux to work as Mail relay ??

This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible.

(!) [Iron]

I didn't know there was a minimum age to use Linux. If you're old enough to write an e-mail, you're old enough to write Linux.

Are you old enough to set your mailer so it sends us only text-format messages, not HTML format? Text messages are easier for us to read and respond to, and are the standard for Internet e-mail.

You're not old enough to use Linux and you're trying to configure Sendmail??? Mamma mia! Why? Use a mail transfer agent like Postfix that's much easier to configure than Sendmail.

What exactly do you want to do, what have you tried, and what are the problems?

I assume by "mail relay" you just mean you want Sendmail to work, so you can send mail from and to your computer. That's not a mail relay. A "mail relay" means that your Sendmail program accepts mail *from non-local senders to non-local recipients*. Normally, Sendmail accepts mail only if it's *from a local user* or *to a local user*. Otherwise, you open up your mail server for exploitation by spammers.

If this is the central mail server for an organization, it probably accepts mail from computers in the organization but not from other computers. This is technically "relaying", but with most mail transfer agents you don't configure it as a relay, instead you tell the program these are local addresses.

If you're trying to be a spammer yourself, see Linux Gazette's advice for crackers: #1 #2


Ben:

Unfortunately, when I tried to notify Faber, his mail server said <choke><gag><puke>

So, I'm putting it up here. Some of you might care, others hit 'delete' - and Faber, presumably, will get a high-speed cartoon brick with a message wrapped around it, telling him to smack his server so that it will take my messages and _like_ it.

<making faces at Faber's server> Nyah. :)


Iron:

Anybody want to take a crack at this? It's an *.exe attachment supposedly sent by Microsoft to all its customers, a security upgrade for IE and Outlook/Express.

Ben:

Ah yes; another sleaze trying a bit of social engineering. Let's see...
----- Forwarded message from Microsoft Corporation Security Center
 -----

Date: Sun, 17 Mar 2002 20:35:29 -0600
From: "Microsoft Corporation Security Center" 
To: "Microsoft Customer" <'[email protected]'>
Subject: Internet Security Update
Yeah, *right*. Micros*ft may produce a broken OS, be in league with the Dark Forces, and smell of elderberries, but they're *not* stupid enough to spam millions of people. Sorry, slimeball; try elsewhere.
Microsoft Customer,

     this is the latest version of security update, the

known security vulnerabilities affecting Internet Explorer and
MS Outlook/Express as well as six new vulnerabilities, and is
discussed in Microsoft Security Bulletin MS02-005. Install now to
protect your computer from these vulnerabilities, the most serious of which
could allow an attacker to run code on your computer.
First off, the poor English should trigger off warnings; you don't "protect from" vulnerabilities; dependent clauses need a referent; and "security update" takes a definite article. An articulate seven-year old, or an under-educated teenager? Take your pick.

"Don't delay! Grab the patch from *THIS* Micros*ft site RIGHT NOW!!!"

http://www.microsoft.com\no+really:this_is=the+real+thing@666_666

Heather:

[Dear Microsoft Customer: pleez run this attachment to induce^H protext from evildoer accezz]

Yeah, this whole thing sparked me to mantion a "warning in case you have gullible end users" to my local sysadmins list.

NEWS FLASH

Reports of a new strain of the "lack of clue" virus, in which people who lack a clue when dealing with email attachments are victimized easily, is going around.

This one affects all clueless Microsoft customers and is invoked when the hapless victim opens an attachment claiming to be "from Microsoft" (CLUE: Microsoft never sends attachments. They have a website and a rather annoying auto-update system. They don't need to waste their own email bandwidth spamming customers with update .exe packets).

Linux users are largely immune, as are freeBSD users, but users of MSwin based mailers which "helpfully" open attachments for them are heavy sufferers in this ailment. Linux and BSD folk who use WINE or DOSEMU and have made any special effort to autolaunch those sort of binaries should beware though. ("Too much clue" is also a problem at times...)

Sites using a central SMTP gateway can apply filters against undesired attachments. If you don't have a clue what policy to apply, consider dumping all mail bearing attachments with the "Known Dangerous Extensions" - a Microsoft Knowledge Base document available on their website - into some moderated account which is maintained by a user with no interesting privileges, or to pass it through some antivirus scanning.


Subject: Precious Cat News
Quality Scoopable Litter Solutions

Iron:

Anyone want to take a shot at this? Lampooning for the Back Page open for business now. Notice question 2, "Why won't my cat use the litter box?" and "Quality scoopable litter solutions".

Heather:

for a proper firewall, we recommend you load the ip-cardboard module, although ip-plastic-with-lid has also been found effective. The selfscoop module may not be compatible with your cat if she hates the disk noises while it updates the logs...

Ben:

*There's* the problem, right there. You should be loading the "catp-*" versions of those modules, instead; the "ip-*" subset is intended for those humans who are silly enough to want to _demonstrate_ for their fussy fuzzy furball.

Heather:

Hmm, purrr-haps. I hear that the catp-plastic-liner module has to be unloaded manually, but the entire system is sub-optimal if you don't load it....

Results are kinda gross, actually. I predict incompatibility with most kitchen protocols, especiially teen-chores.


i'm a student at aylesbury college and i have a pre-release question which requires me to compare two operating systems and i have choosen linux as one of my choices, please could you send me information on linux's main features and requirements this would be most appreciated,

(!) [Iron]

Ah, but your professor wants you to do the research yourself.

  1. Look on the back of the box of any Linux distribution.
  2. Look at the distributions' web sites. Linux Weekly News (http://lwn.net/) maintains a list of distributions somewhere.
  3. See the Linux FAQ and Linux Meta-HOWTO at http://www.linuxdoc.org/ . Hint: while you're reading, note the large number of filesystems and network protocols Linux supports: it can communicate with a wider variety of computers than most other OSes can.
PS. What's a "pre-release question"?

(!) [Don Marti]

Yes, of course. Linux is the OS that causes cancer. http://www.theregister.co.uk/content/4/19396.html

Linux is also obsolete. http://groups.google.com/groups?selm=12595%40star.cs.vu.nl

It was written by high school students who are in jail now. http://geraldholmes.freeyellow.com/LinusSucks.html

(!) [Iron]

Wow, that last link gave me four, count 'em, four popup ads before I managed to turn off Javascript.


STOP THE GENOCIDE
Erkki Tapola 29-Jul-96

Every second billions of innocent assembler instructions are executed all over the world. Inhumanly they are put on a pipeline and executed with no regard to their feelings. The illegal instructions are spared, although they should be executed instead of the legal ones.

Prior to the execution the instructions are transported to a cache unit using a bus. There they spent their last moments waiting for the execution. Just before the execution the instruction is separated into several pieces. The execution isn't always fast and painless. On crude hardware the execution of a complex instruction can take as long as 150 clock cycles. Scientists are working on shorter execution times.

Microsoft endorses the needless execution of instructions with their products like DOS(TM), Windows(TM), Word(TM) and Excel(TM). It is more humane to use software which minimises the executions.

Modern machines use several units to execute multiple instructions simultaneously. This way it is possible to execute several hundred million instructions per second. The time is near when there will be no more instructions to execute.


Ben:

the secret handshake

Iron:

Oh, now he's going around trying to convince people there's a secret handshake. Do you get kickbacks from people when you show them the handshake? Is that why you were able to trade your boat in for a yacht?

Just to make it clear, THERE IS NO OFFICIALLY-SANCTIONED LINUX GAZETTE HANDSHAKE!!! If anybody tries to tell you there is and offers to teach it to you for a "donation", tell them to jump off a short plank into Chesapeake Bay.

PS. I think Ben should host a Linux Gazette New Year's party on his fancy new yacht.

Ben:

"Flash! Pending sub-zero temperatures for Hades and the immediate vicinity, Ben will not - I repeat, not - be getting a new yacht. Current temperatures are approximately 820F, slightly higher near boiling lakes of sulphur. The weather should continue unseasonably warm and mild over the course of the next three thousand millenia..."


World of Spam


I have been mandated by my colleagues on the Panel to seek your assistance in the transfer of the sum of US$18.5 Million into your Bank account. As you may have known, the late General Abacha and members of his government embezzled billions of dollars through spurious contracts and payments to foreigners between 1993 and 1998 and this is now the subject of the probe by my Panel.

In the course of our review, we have discovered this sum of $18.5 Million, which the former dictator could not transfer from the dedicated account of the Central Bank of Nigeria before his sudden death in June 1998. It is this amount that my Colleagues and I have decided to acquire for ourselves through your assistance. This assistance becomes crucial because we cannot acquire the funds in our names and as government officials we are not allowed to own or operate foreign bank accounts.

[Bah, they want to acquire knowingly-embezzled funds for themselves, and need a partner because as government officials they can't open a government bank acct? -Iron.]

To: [email protected]
Cc: [email protected], [email protected], [email protected],
	[email protected], [email protected], [email protected],
	[email protected], [email protected], [email protected],
	[email protected], [email protected], [email protected],
	[email protected], [email protected], [email protected],
	[email protected], [email protected], [email protected],
	[email protected]
Subject: i recommend trying this                    .

$$$GET A FREE MILLION ON TOP OF EVERY ORDER. IF YOU ORDER WITHIN 2 DAYS OF ORDERING!
Subject: [TAG] Linux-questions-only, let's boost your internet speed by up to 220%

Happy Linuxing!

Mike ("Iron") Orr
Editor, Linux Gazette, [email protected]


Copyright © 2002, the Editors of Linux Gazette.
Copying license http://www.linuxgazette.net/copying.html
Published in Issue 78 of Linux Gazette, May 2002
[ Prev ][ Table of Contents ][ Front Page ][ Talkback ][ FAQ ]