Tech Talk Discuss PC Hardware, Software, Internet and Other Technology

What's up with all these "blank" emails?

Old 05-10-02, 09:45 AM
  #1  
DVD Talk Legend
Thread Starter
 
Join Date: Oct 1999
Location: in Bush territory!
Posts: 11,613
What's up with all these "blank" emails?

I've been getting all these emails from people I know that don't have anything in them. No pics, no words, no attachments, nada. What's up with that? Is this some kind of weird virus going around? Has anyone else had this happen recently?

PS...I use Hotmail.
wabio is offline  
Old 05-10-02, 10:08 AM
  #2  
X
Administrator
 
X's Avatar
 
Join Date: Oct 1987
Location: AA-
Posts: 10,701
Are they sending you HTML emails by any chance?
X is offline  
Old 05-10-02, 02:04 PM
  #3  
Senior Member
 
Join Date: Dec 2000
Location: Chicago
Posts: 880
Wabio, me too!

My work email is getting them a fewl times a day. My wife also works for the same place in a different building and she's been getting them too.

Very weird.

No, X, there's no html in them -- they're totally blank. They started several days ago.

edited to add:

But they aren't from people I know. I've recognized a couple of the "@_______.com"s but none of the user names.
Rico Diablo is offline  
Old 05-10-02, 02:35 PM
  #4  
DVD Talk Legend
Thread Starter
 
Join Date: Oct 1999
Location: in Bush territory!
Posts: 11,613
I've received about a dozen of these blank emails that seem to be coming from legitimate people. All of them have "620, 400) " in the subject line. But the pages are still blank
wabio is offline  
Old 05-10-02, 05:39 PM
  #5  
DVD Talk Legend
 
Join Date: Jan 2002
Location: Danville, CA
Posts: 10,495
We've been getting these at work as well but have had the [email protected] virus ride along with the blank emails. Luckily Norton has stopped them all.
Copenhagen is offline  
Old 05-13-02, 09:57 AM
  #6  
Banned
 
Join Date: Oct 2001
Location: USA
Posts: 6,733
From McAfee's website:

http://vil.nai.com/vil/content/v_99367.htm

-- Update 3/4/2002 --
Due to a slow, but steady, increase in prevalence over the past few weeks, AVERT has raised the risk assessment of this threat to MEDIUM.
This W32/Klez variant has the ability to spoof the email FROM: field. The senders address used by the virus, may be one that was found on the infected user's system. Thus, it may appear that you have received this virus from one person, when it was actually sent from a different user's system. Viewing the entire email header will display the actual senders address.

This worm makes use of Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability in Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2)

This worm arrives in an Email message with a subject and body randomly composed from a rather long pool of strings that the virus carries inside itself (the virus can also add other strings):

"Hi, Hello, Re: Fw: Undeliverable mail-- Returned mail-- game a tool a website new funny nice humour excite good powful WinXP IE 6.0 W32.Elkern W32.Klez how are you let's be friends darling don't drink too much your password honey some questions please try again welcome to my hometown the Garden of Eden introduction on ADSL meeting notice question naire congratulations sos! japanese girl VS playboy look, my beautiful girlfriend eager to see you spice girls' vocal concert japanese lass' sexy pictures Symantec Mcafee F-Secure Sophos The following mail can't be sent to The attachment The file is the original mail give you the is a dangerous virus that can infect on Win98/Me/2000/XP. spread through email. very special For more information,please visit This is I you would it. enjoy like wish hope expect Christmas New year Saint Valentine's Day Allhallowmas April Fools' Day Lady Day Assumption Candlemas All Souls'Day Epiphany Happy Have a"

In our experiments we have, for example, observed the following Subject lines (more common at the top):

Subject: Document End
Subject: Happy Lady Day
Subject: From
Subject: Eager to see you
Subject: Returned mail--"Document End "
Subject: HEIGHT
Subject: A WinXP patch
Subject: Hi,spice girls' vocal concert
Subject: Happy nice Lady Day
Subject: Have a humour Lady Day
Subject: Happy good Lady Day
Subject: ALIGN
Subject: Have a good Lady Day
Subject: Undeliverable mail--"IIS services with this Web administration tool."
(the virus can also send mails with empty Subject and/or body)

This virus can also unload several antivirus programs from memory.


Symptoms

1) The worm interferes with running programs and frequently displays a fake error message:


Note - the name displayed is random but is always an EXE.

2) Alien WINKxxx.EXE files in \WINDOWS\SYSTEM folder (ex., WINKIDT.EXE or WINKKR.EXE).

3) Reference to a WINKxxx.EXE file (and "xxx" looks random) in a registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run or HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

4) Executable files have "companions" of about the same size and random extension (ex., apart from MSOFFICE.EXE you may have MSOFFICE.HRH which is a hidden system file). On top of that if you run an infected file you will temporarily have a third file with "~1" in the name (ex., NETSCAPE.EXE will not only have NETSCAPE.PXB but also NETSCA~1.EXE of exactly the same size as NETSCAPE.EXE). This third file is a reconstructed host and it is deleted by the worm once you quit the program.

5) This worm also causes serious system performance degradation and some programs stop running


Method of Infection

When the Email is opened the worm immediately activates using mentioned vulnerability (previewing the message may be enough if your system is not patched). The worm copies itself under WINKxxx.EXE name (where xxx are random characters) into the WINDOWS\SYSTEM folder (can be different if your installation is not a default one) and this file is set to run every time the system starts.
W32/[email protected] is based on the W32/[email protected] but unlike its predecessors this variant can itself infect files (on top of being able to also drop W95/Elkern.cav.b virus). W32/[email protected] worm overwrites files and they are padded with zeroes to the original uninfected host size. The worm saves original contents of the hosts in files with the same name and random extension. These files are "Hidden" and "System" (to be able to see them you need to change "View/Folder Options" in Windows Explorer by selecting "Show all files").

Running infected files causes the worm to reconstruct the uninfected host file using saved data. Such reconstructed files will have "~1" appended to the name (ex., infected MSOFFICE.EXE will be accompanied by an uninfected MSOFFI~1.EXE). The worm deletes them as soon as the program stops running so they exist only temporarily.

W32/[email protected] sends itself out using SMTP protocol. It harvests the Windows address book for email addresses.

The virus may save a copy of itself into .RAR archives.

There is a date-activated payload associated with this threat. On the 6th day of March, May, September, or November, the virus may overwrite local and network files containing the following extensions with zeros: .txt, .htm, .html, .wab, .doc, .xls, .jpg, .cpp, .c, .pas, .mpg, .mpeg, .bak, or .mp3.

If the month is January or July, all files may be overwritten. This behavior was not observed in a lab environment.


Removal Instructions

Use current engine and DAT files for detection.
Once infected, VirusScan may not be able to run as the virus can terminate the process before any scanning/removal is accomplished. The following steps will circumvent this action and allow for proper VirusScan scanning/removal, by using the command-line scanner.

Ensure that you are using the minimum DAT specified or higher.
Close all running applications
Disconnect the system from the network
Go to a command prompt, then change to the VirusScan engine directory:
Win9x/ME - Click START | RUN, type command and hit ENTER.
Type cd \progra~1\common~1\networ~1\viruss~1\40~1.xx and hit ENTER
WinNT/2K/XP - Click START | RUN, type cmd and hit ENTER.
Type cd \progra~1\common~1\networ~1\viruss~1\4.0.xx and hit ENTER
Rename SCAN.EXE to CLEAN.EXE to prevent the virus from terminating the process and deleting files. Type, ren scan.exe clean.exe and hit ENTER
First, scan the system directory
Win9x/ME - Type clean.exe %windir%\system\win*.exe and hit ENTER
WinNT/2K/XP - Type clean.exe %windir%\system32\win*.exe and hit ENTER
Once the scan has completed, Type clean.exe /adl /clean and hit ENTER
Rename scan.exe. Type, ren clean.exe scan.exe and hit ENTER
After scanning and removal is complete, reboot the system
Apply Internet Explorer patch if necessary.


Aliases

I-Worm/Klez.E (AVP)
[email protected] (Symantec)
W32/Klez.F (Panda)
Win32.HLLM.Klez.1 (DrWeb)
Worm/Klez.E (H+BEDV)
WORM_KLEZ.E (Trend)
icondude is offline  
Old 05-13-02, 10:58 AM
  #7  
Senior Member
 
Join Date: Dec 2000
Location: Chicago
Posts: 880
So it's a virus in a blank email with no attachment?
Rico Diablo is offline  
Old 05-13-02, 11:07 AM
  #8  
DVD Talk Special Edition
 
Join Date: Jul 2000
Location: WashingtonDC
Posts: 1,182
I'd guess that somewhere along the line, one of the email servers detected the virus and stripped it out of the email (which is why it arrived blank?)
Eeyore is offline  
Old 05-13-02, 11:24 AM
  #9  
Banned
 
Join Date: Oct 2001
Location: USA
Posts: 6,733
Originally posted by Danger1313
So it's a virus in a blank email with no attachment?
Actually I got several emails just like this, but I'll be scanning for the virus, just in case.
icondude is offline  
Old 05-13-02, 03:48 PM
  #10  
Senior Member
 
Join Date: Feb 2002
Location: CA
Posts: 718
I started getting these a few days ago also!, very unusual. I just delete them and leave it at that.
agent2099 is offline  
Old 05-15-02, 11:13 AM
  #11  
Banned
 
Join Date: Oct 2001
Location: USA
Posts: 6,733
Actually I did go to Symantec's website and download their fix for this virus just in case. I remember getting the emails in the recent past and when I ran the fix on my work computer it found nothing but on my home computer it found tons of stuff. I had to run it like 4 times (once in the Safe mode) to get all the infected files deleted or repaired. The only symptom I had was when I was doing some video capturing I was noticing these strangely named programs running (when you do video capture one of the first things you do is turn off everything you can) and I had to keep on doing an "end task" from ctl-alt-delete to get rid of them before I'd start my capture. Normally I don't get viruses because I don't open these emails so Im still not sure how it got on my computer but I'm glad it's gone now.
icondude is offline  

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Thread Tools
Search this Thread

Archive Advertising Cookie Policy Privacy Statement Terms of Service

Copyright 2018 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.