RE: GroupWise - Guinevere - Klez.H traffic Increase

["Mark Rossman" <marossma () oakland edu>]

Hi, 
        I've been seeing a lot more Klez lately too.  I think a new
variant came out a few weeks ago and the unprotected people are
spreading it like crazy. Just log the emails to track where they came
from and try informing the actually sender that they are infected(Klez
spoofs email addresses so don't just push reply). Unfortunately that's
all you can really do. I believe there was just a big thread about email
headers that may be helpful, just hope its really coming from a few
people
        Hope this helps
                Mark Rossman





  -----Original Message-----
  From: Eric Zatko [mailto:EZatko () co lucas oh us]
  Sent: Tuesday, March 11, 2003 4:35 PM
  To: security-basics () securityfocus com
  Subject: GroupWise - Guinevere - Klez.H traffic Increase
  
  Good afternoon my friends.
  
  I am wondering if any of you can shed some light on this bit of
  information that I have. Here is the background:
  
  We are running GroupWise e-mail... with Guinevere antivirus scanner
for
  inbound and outbound Internet e-mail... which integrates with our
Norton
  AV to detect, block and/or clean messages.
  
  We are getting more and more e-mail each and every day that is being
  blocked/cleaned/stripped of attachments containing the Klez.H virus.
  
  Now, one of two things appears to be happening... either we are being
  targeted for some reason (intentionally or unintentionally), or there
is
  an increase in Klez.H traffic... which would be amazing since it (the
  original Klez.A) has been in the wild for such a long time (October,
  2001).
  
  Any thoughts... ideas... or advice?
  
  My sincere thanks in advance.
  Eric