[jeh_n_njh]

I keep getting repeated email messages containing the Klez virus. What's happening is when I go to check emails, my Norton AV gives me a message saying the Klez virus was detected (I think the version was [email protected]). It asks me if I want to quarantine the message. If I say yes, nothing happens except that I then get another Klez infected email and the loop repeats itself (NAV again says it found the virus in this next email and asks if I want to quarantine it...). The same thing happens whether I select for NAV to delete or quarantine the email. I can't seem to break this loop. I now have like 25 of these Klez emails in my Inbox. Since I can't open or even preview these emails, I don't think my computer is infected yet because I don't think I've launched the virus, however, I'm no computer maven so I could be wrong.

The main problem right now is I can't get to check my other emails because I can't get past these NAV messages (I suppose I could disable NAV, but I don't think that's a good idea, then the virus would launch, right?)


I ran this Klez Removal Tool which told me upon completion that no Klez virus had been found (it actually said no "[email protected]" virus was found - I don't know if that is a distinction from the "[email protected]" my email messages tell me I have).

I am running Win XP.

Any ideas on how I can remedy this situation and get rid of these annoying messages so I can access the rest of my emails?

Thanks for any comments,

 

[merlin]

jeh, whats up...
[email protected] is a mass mailing variant of the Klez virus. It contains its own SMTP mailing engine. The actual function of the worm is to deliver another variant of Klez wich targets your system and infects files instead of trying to propagate itself to other addesses. What is happening is that AV is finding the virus and containing it , but due to the another function of the virus called spoofing, it does that repeatedly...this variation of Klez spoofs outgoing and "incoming" messages. It basically goes into your address book and picks up addesses and mails itself to them...other side of spoofing is that it "mails" itself back to you, inserting those addresses from your address book in the "from" field. Thats why you might keep receiving those messages. Now for the bad news....this variant is also known to cripple NAV...it takes our rnav.exe which is used for NAV removal or it changes the access properties so you cannot go in and remove it/change options/reinstall...I would try reinstalling AV program and patching up your email client. Virus should not run as long as you leave the emails alone For IE patch , go here :

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp

you can also try checking your mailbox remotely , bypasing outlook. You can use mail2web.com ..see if there's any strange emails in there.

*note about the other virus*
if by some chance virus runs, it will most likely inject another virus known as W32.ElKern.3326. If you have a network, disable it because it mostly targets .exe files on share drives. Since you have XP, (win2k kernel ?) this virus might crash... more advanced variation of this virus is W32.ElKern.4926 which is adapted to hide from AV and targets AV files on the host and share drives as well...



HTH

 

[jeh_n_njh]

Merlin - thanks for the input. It appears my problem is now resolved.

 

[merlin]

:thmbup: