Questionnaire

[ptranbarger]

Attachment                    Virus name               Action taken
------------------------------------------------------------------------------
cf325292514.att               Exploit.IFrame.FileDownloadRemoved


*** KLEZ ALERT ***

UPDATED MAY 6 2002

If this notification was generated due to any Klez virus variant (see 

above), then you should keep reading, since your machine might be 

infected by the virus.

Some URLs in this message below may wrap to a second line. If that 

occurs, clicking on them does not work. To follow a multi-line link, 

please copy and paste its parts into your browser's address window to 

reassemble it into a working URL.

Note that if your network uses other protocols for e-mail delivery 

other than SMTP (for example, POP3), Klez could find its way onto your 

network without your SMTP proxy getting the chance to strip the 

executable attachment.

KLEZ FORWARDS RANDOM FILES

In the last 30 days, experts have found that Klez.H sometimes attaches 

a random file from your hard drive into the infected e-mail it sends 

from your machine. Thus, a Klez.H-infected e-mail will include two 

attachments. One is the infected .EXE, .BAT, .PIF or .SCR file, and the 

second is some random file from the sender's computer. Although this 

second file is not infected by the worm, it could contain sensitive 

information the sender does not intend you to see. If you are infected 

with Klez.H, know that it could send sensitive documents to your e-mail 

contacts. This ZDnet story 

<http://techupdate.zdnet.co.uk/story/0,,t481-s2108922,00.html> includes 

details on this aspect of Klez.H.


KLEZ FORGES "FROM" AND "TO" E-MAIL HEADERS

Some of your may already know that Klez.H will forge the "From:" header 

with a random e-mail address it finds on the infected PC. This means 

that if you receive the Klez.H worm, the person it appears to be from 

is not really the person who sent it. Many professionals are worried 

that this worm will harm their reputation since their clients might see 

their e-mail address as the sender. If you receive Klez.H e-mails, keep 

in mind it is not really coming from the sender you see in the e-mail 

header. Finally, if you are accused of sending the Klez.H worm you 

could send your accuser this article 

<http://www.wired.com/news/technology/0,1282,52055,00.html> from Wired 

in order to clear up the misunderstanding.

MORE INFORMATION

For more information, see sources such as Symantec at:
<http:/securityresponse.symantec.com/avcenter/venc/data/address@hidden

tml>

**********************************************************************