To all interested parties: My apologies if you receive multiple copies of this announcement, but I think it deserves a wider audience. Doug Nelson [log in to unmask] Network Manager Ph: (517) 353-2980 Computer Laboratory http://www.msu.edu/~nelson/ Michigan State University Forwarded message: Subject: Klez virus: Next destructive date: May 6 To: [log in to unmask] (MSU Security Announce) Date: Thu, 2 May 2002 16:56:49 -0400 (EDT) X-Mailer: ELM [version 2.5 PL2] Content-Length: 2130 As many of you are probably aware by now, the Klez e-mail virus/worm has been making the rounds recently. We have recorded a large number of incidents involving Klez here at the Computer Laboratory. Most of the incidents we have logged involve student computers, but a number of faculty/staff computers are affected as well. The Klez worm has been challenging as well because it masquerades as other users by using a faked "From" line. This leads to a fair number of misdirected complaints and/or bounced e-mail messages to users who are not infected with the worm. To properly identify the infected computer, it is necessary to read through the full message headers, in particular, the lines beginning with "Received:" (found in different locations on different mail client programs). I am sending this particular alert in part because of the large number of Klez incidents we have seen, and also because the more recent versions of this worm have a destructive behavior which is triggered on the 6th of each odd month, making May 6 the next date with this behavior. I would hope that most readers of the MSUSEC mailing list have up-to-date virus protection on all computers in your area. But you may want to pass this notice on to your users as a reminder to ensure that virus protections are fully in place and updated accordingly. You should be protected with any virus definitions dated February, 2002, or later, but check your virus vendor web site to verify. Some useful links on Klez: MSU security web site: http://security.msu.edu/ In particular, look under "Virus Alerts" for the "Klez-E worm" page: http://security.msu.edu/cgi-bin/index.pl?virus/kleze.html The Symantec web site provides a good, detailed description of the worm, along with instructions for removal of the worm from infected computers: "E" variant: http:[log in to unmask] "G/H" variant: http:[log in to unmask] Doug Nelson [log in to unmask] Network Manager Ph: (517) 353-2980 Computer Laboratory http://www.msu.edu/~nelson/ Michigan State University