We use Command . .

Post #42,710 by Andrew Grygus 6/17/02 11:46:46 PM Reply	We use Command . . . . because it's the easiest to keep updated on a CD-ROM I can carry around. The [link\|http://www.commandsoftware.com/virus/kerp.html\|Klez.H tool] is free. An up-to-date antivirus (Post April 19th) to keep you uninfected is not (download Command for $24). An important thing is to use the Klez tool in Safe Mode (works on all Win95/98/Me, NT, XP, 2000) and put on an updated antivirus before reattaching to the network. This thing spreads fast. I know Symantec has a Klez tool, and I presume everyone else does too. Some machines I have found with multiple infections (Klez.H and SirCam) I've had to pre-clean with the DOS version of the antivirus before I could even run the Klez tool. I use DOS disks made from a good Command installation, copy them all to a directory on a CD-ROM for convenience, and either run from the CD-ROM or copy all the files to the hard disk and run from there so I can take the CD-ROM to the next machine. Most disks scan pretty fast, but the absolute worst case is a Windows Me machine with System Recovery turned on and plenty of Temporary Internet Files. I've had one of these take over 2 hours, most of it in the System Recovery Temp files (89,000 files). Going to call some more clients this week - this is easy money - like shooting fish in a barrel. "If you run Windows and read Email, You Have the Klez!" [link\|http://www.aaxnet.com\|AAx]
Post #42,716 by Silverlock 6/18/02 12:07:18 AM Reply	Once again, Andrew supplies a new sig. "If you run Windows and read Email, You Have the Klez!" -Andrew Grygus
Post #42,723 by kmself 6/18/02 12:38:30 AM Reply	Thanks. I used Symantec's FixKlez.com... ...on a WinME laptop here. Probably 20 minutes or so to scan, with System Recovery disabled (Symantec advised this). Booted to safe mode. Thankfully, the system was clean. Despite the Windows desktops, we run Eudora rather than MS LookOut, and have virus filtering on all in and outbound mail, as well as the desktops. I'm starting to get interested in virus scanners to run over our Samba and web staging / FTP servers. I see this as a potential vector for infection as well. Hmmm... Ouch. Yeah, that would be a Good Thing ™ Any take on Klez infestations by email client? Is it mostly LookOut / OE or are other systems equally vulnerable? `-- Karsten M. Self [link\|mailto:kmself@ix.netcom.com\|kmself@ix.netcom.com] [link\|http://kmself.home.netcom.com/\|[link\|http://kmself.home.netcom.com/\|http://kmself.home.netcom.com/]] What part of "gestalt" don't you understand? Keep software free. Oppose the CBDTPA. Kill S.2048 dead. [link\|http://www.eff.org/alerts/20020322_eff_cbdtpa_alert.html\|[link\|http://www.eff.org/alerts/20020322_eff_cbdtpa_alert.html\|http://www.eff.org/...a_alert.html]]`
Post #42,726 by Andrew Grygus 6/18/02 1:21:53 AM Reply	Any can be vulnerable if . . . . . you open the mail. Only Outlook will propegate the virus by email, but once it's running it goes for network drives. Anything accessable to Windows cllients is vulnerable. The worst infection I've seen was at a client that uses Microsoft Exchange Server intensively - only 2 of his 20 computers had less than 150 infected files. At a client who does not use Outlook (not since SirCam emailed his customer list to all his competitors), some machines escaped infection. Three other clients who also use PMMail were 100% infected. Klez.H has a long list of email tricks to get you to open it. My favorite is the one disguised as an undelivered mail notice. Who can resist opening the message to see why their mail wasn't delivered? A more obvious one is the one that warns about Klez.E. One client receives many real bounced email notices from virus filtering services because someone who is infected had his address in their Outlook address book. Klez.H uses forged return addresses to hide the identity of infected machines. Most of the infections are actually Elkern.C, which Klez.H brings with it - only a few are actually Klez.H. Elkern.C infects mainly Microsoft Office subdirectories in \\Program Files. I haven't seen a definitive analysis of Elkern.C, but previous Elkern versions are said to destroy all files on hard disks on March 13th and September 13th. The worst infected machine I've seen had over 450 files infected, but about 33 and 95 and 165 files are common infection points. The one with 450 infections had to be reformatted, as did several machines that had multiple viruses, but most infected machines recover well. [link\|http://www.aaxnet.com\|AAx]
Post #42,738 by n3jja 6/18/02 9:45:01 AM 6/18/02 9:45:42 AM Reply	And they call me crazy for STILL using OS/2...... Edited by n3jja June 18, 2002, 09:45:42 AM EDT Expand All History
Post #42,739 by Andrew Grygus 6/18/02 9:51:15 AM Reply	At last count . . . . my main OS/2 workstation had 290 virus infected files, containing about a dozen different viruses, worms and trojans - and that's just because my email trash bin gets auto-emptied of old deletes. Since no infected files are likely to be transferred to my one lonely Windows machine, I just ignore 'em. [link\|http://www.aaxnet.com\|AAx]
Post #42,759 by n3jja 6/18/02 12:53:21 PM Reply	Interesting.... my main OS/2 workstation had 290 virus infected files, containing about a dozen different viruses, worms and trojans Well, since I've never installed any AV software on my OS/2 partition, I couldn't tell you if I have any viruses or not. What I can say is that since the vast majority of these things are VBS, W32, or HTML, I feel fairly well protected because: 1) VBS doesn't work on OS/2 and (as far as I know) never will. Maybe it would run under Odin? I don't do Odin, so I wouldn't know. 2) W32 code doesn't run on OS/2 either, unless you have Odin installed, and I am certainly not about to do that. If I need to run W32 code, that's what I have a W98SE partition for. 3) I use PMMail/2 which automagically strips all HTML from incoming email. Anything that makes it past that usually comes up as garbage (or in some cases just blank) in the Read window and I delete those things without bothering to look at them. Similarly, I can always see the complete file name under OS/2. This makes file attachments that come up as Britney_Spears.jpg.vbs pretty damned obvious to anyone with 3 functioning brain cells. Double file extensions should send up flares as big as SCUD missles even if you don't update your AV software as often as you should. That's how I knew my GF hadn't bothered to update her NAV software since I installed it for her. One of the emails she sent me last year had warning signs all over it as soon as I saw it. Now, in fairness, she didn't know she had done it because she had the preview window in NutScape set on by default (still does.... boggle) and the code just started emailing people in her address book. Fortunately for her, I was only the second person to get the email sent to me, so I managed to nip it in the bud before it got way out of hand. Final tally was about 10 people she gave it to instead of the 50 or so it might have been. I'm also quite happy about the fact that a good majority of these things like KAZAA, etc that contain SpyWare don't run on OS/2 either. I've only run into one instance where a web site tried to initiate a file download and since OS/2 is kind enough to let me know such things, it wasn't much of a deal. All in all, \ufffd'm not worried in the least about most of this crap that infests the W32 world. Most of the time, I just laugh.
Post #42,779 by Andrew Grygus 6/18/02 2:01:07 PM Reply	Out of curiosity . . . . I occasionally scan my OS/2 workstation drives over the network from my Windows machine. [link\|http://www.aaxnet.com\|AAx]
Post #42,786 by n3jja 6/18/02 2:52:30 PM Reply	Ah... I occasionally scan my OS/2 workstation drives over the network from my Windows machine. In my case, my OS/2 machine is my Windoze machine. It's also my DOS machine and my Linux machine as well. I just love the sight of Boot Manager in the morning (and the afternoon, and the evening...). ;-) I guess I should probably scan the Novell server and see what's there. I don't expect to find much, since I've been on her about updating NAV often, but one can never tell. If enough things show up, I'll just have to ban her from the MP3 collection; or at least make it Read-Only for her. ;-)

Welcome to IWETHEY!