Hello all,

I got the virus again from the same person now claiming to be a person
from IBM.
I hope you will be careful with this virus. Its masquerading feature
allows to spread widely and makes isolation and removal harder.
Sorry for this off-topic issue. You will get no more messages from me on
this topic unless someone else on the list also gets infected and send the
virus again. Such virus problem can put some tension against innocent
members of our community.

Zlatko Krastev
IT Consultant

From:   tbrooks <tbrooks AT VNET.IBM DOT COM>
Subject:        Maxlength
Received:       from Pdgf (host119.200.61.155.ifxnw.com.ar
[200.61.155.119]) by ty.media3.net (8.9.3/8.9.2) with SMTP id CAA00909 for
<acit AT ATTGLOBAL DOT NET>; Thu, 23 May 2002 02:42:37 -0400 (EDT)
Received:       from ty.media3.net ([206.67.50.1]) by prserv.net (in1)
with ESMTP
          id <20020523065631101077amgqe>; Thu, 23 May 2002 06:56:32 +0000
And again two file attachments, one of them named value.bat with filesize
91858 (the actual virus payload).




Please respond to "ADSM: Dist Stor Manager" <ADSM-L AT VM.MARIST DOT EDU>
Sent by:        "ADSM: Dist Stor Manager" <ADSM-L AT VM.MARIST DOT EDU>
To:     ADSM-L AT VM.MARIST DOT EDU
cc:

Subject:        Virus from an ADSM-L subscriber - please check yourself

Hello people,

someone of ADSM-L subscribers from Argentina is having the Klez virus.
Maybe some of you do not know how the virus is working so I would explain
in brief:
virus is distributing itself masquerading as someone from address known to
the victim's mail program. More info can be found on AV programs vendors'
sites (example
http://www.symantec.com/avcenter/venc/data/w32.klez.h AT mm DOT html).
I my case I got a virus with signature as coming from Alex Paschal. Alex
is innocent and has nothing to do with this garbage. And for sure he would
not send to me a mail with so silly subject. So the mail was very
suspicious. I am using Lotus Notes for mail so am immune to viruses
targeting Outlooks but many of you are prospective targets (and might be
even infected).
The person with infected computer is using ISP in Argentina but I am
unable to identify him/her. Since my subscription to the list no-one from
this provider's domain has made posts. I guess he/she is a new member of
our community.
Please fellows from Argentina check your computers - you might be the one
who is having the virus and accidentally sent it to me. Others using
Outlook also can check themselves or contact system administrator/IT
security officer.
Partial details of the offending message are shown below. If any of you
(or your admin) needs additional info - please contact me outside the
list.

Zlatko Krastev
IT Consultant


From:   AlexPaschal <AlexPaschal AT FREIGHTLINER DOT COM>
Subject:        Japanese lass' sexy pictures
Received:       from Rfbgxnueo (host119.200.61.155.ifxnw.com.ar
[200.61.155.119]) by ty.media3.net (8.9.3/8.9.2) with SMTP id KAA12687 for
<acit AT ATTGLOBAL DOT NET>; Wed, 22 May 2002 10:40:33 -0400 (EDT)
Received:       from ty.media3.net ([206.67.50.1]) by prserv.net (in5)
with ESMTP
          id <20020522145421105060h0rre>; Wed, 22 May 2002 14:54:21 +0000
+ file attachment "href.bat" with size 91764 bytes (the virus code)