Ok, I use hotmail and like everyone else i get loads of spam and virus emails but i have recently started recieving emails that are blank but have a file size of over 100kb I assume there is some sort of attachment I am not seeing...

Anyone else had this or even better know anything about it?

thanks

-Chris

Is the e-mail coming from someone you know?

I use hotmail and i also got one 130k three days ago from an unknown person. Opened it having in mind to just see if it had an attachment but there was nothing on it. Strange eh? Did a scan then with my antinirus but nothing was inflected (by what it said). Then the next day i also had one more with diff. tittle from different unknown address which i then deleted without opening it.

This won't solve your blank email problem but will get rid of unwanted email

Go to your hotmail account, click on Options, then Inbox Protector.
Put a dot in Custom, then a check in "The sender's address is in your Hotmail Address Book".
Then under "Discard Folder" put a dot in "Trash Can, which is emptied several times a week"
That way you will not get mail unless it's from someone in your address book...

I believe the blank Hotmail messages contained the Klez virus, and Hotmail is stripping the attachments out. I've gotten several messages just as you described to my Hotmail account, and I know for a fact that at least some of them were generated by Klez.

Nice one brent, cheers :)
nice of MicroSoft to explain...

-chris

I recieved an E-mail via Hotmail (167kb). There was no attachment and when I opened the thing up there was no text either. I did not get a message from Hotmail to say why so big, yet empty. If it was stripped of a virus, Hotmail should have given a warning, don't you think?
Most people I know have both my E-mail addresses, in which case I am expecting a simialar E-mail via Outlook Express. I have read the Klez virus can execute without being opened, just by being in the preview pane.
I have disabled the 'preview pane' to be on the safe side.
There is another possibility for this mystery - Buffer Overflow Exploit.
I don't know what this is but.....
I have read about it and some of it has sunk in, the rest went clean over my head.
At sometime or other I have received an E-mail with a suspect http ???? This has tricked a program on my PC (UPNP) to send details via Windows Explorer & the net to a hotel room in the USA. I live in England.
Exactly what details would have been sent I don't know. It may have been to mess me about or to mess a third party around.
I fixed this problem by disabling UPNP. Zonealarm gave me the tip off ! More details on my original post...http://www.computing.net/security/wwwboard/forum/942.html

Michael- I would be interested in knowing where it is you saw that Klez could be executed without opening the e-mail. The reason I think the blank Hotmail messages are Klez is because I too have another e-mail account that I access through Outlook Express. When I get a suspicious e-mail in Outlook Express, I open it, save the attachment to my desktop, and scan it. I've done this with Klez many times, and never got infected. It is possible to create a virus that can execute simply by being previewed, but those don't usually get out into the wild. What was your source for that information?

I was getting several such large "blank" e-mails every day for the past week. Most apeared to be from Hotmail addresses and did have the W32Klez.eml virus in them. Some were rejects from servers (invalid address ?) as if they had come from me. None had actually came from Hotmail, they all had "spoofed" return addresses.

What bothered me the most about them, was that most of the addresses looked like they came from people who post on Computing.net forums! Including WaveDave. I spent a lot of time trying to open that one, to see what he had sent me, before I discovered it was a virus.

All were live versions of the Klez virus. It was costing me a lot of time several times a day to isolate, save to CD-Rom, remove from system and then setup and run a full virus scan to make sure nothing had been infected by them. Lots of files on three large drives to scan, takes almost a hour.

So Tuesday afternoon, I took the time to look through the source headers of all of those I had collected and discovered all but one had actually been sent from the the same machine! A DSL account at AT&T Broadband (rdog@attbi.com). I had already sent an e-mail to that address warning that it was infected, but got no response.

It took a while to find the right e-mail addrsses at AT&T, but I sent an abuse report to AT&T Broadband with copies of the headers, requesting that they contact the owner of the link (or shut it off). So far I have not received any more of these.

I was also bothered by the other one I had received. It was from an account in England. It was just like the others, but had a text message attached to the front that you could read. It said that the attached files were a way to make the Klez and other virus think your machine was already infected so that they would not infect your machine. And that if your AV complained about the attachment to just ignore it and install the program. Sure.... but someone might fall for it. This is someone who has received the virus and is trying to spread it.

Brent:

Yes, if you use Outlook and have preview enabled, then the Klez virus can get control and spread through a bug in the preview function. Micro$oft fixed this bug in Outlook almost a year ago. So if you have been to the Windows Update site for security fixes in the past year, then you are OK. But many people have never updated their Outlook.

If you re-install Windows or Outlook, you must do the updates again before it is safe for you to receive e-mail.

In China, where many people use bootleg copies of MS Office and do not/can not update the version of Outlook that come with it, the Klez virus has spread like wildfire and caused a lot of damage.

JackG- Thanks for the info. I had heard about the MIME header flaw, but didn't know much about it. I just went to Microsoft's site and read all about it, makes me glad that I keep up with all the Windows Updates! When I first started getting Klez e-mails, I too tried to contact the guilty party, but never got any response. They've pretty much stopped now, though.

Brent, I got the info from either this site or Symantec.
I have turned off the preview pane and set up a folder (using rules) for E-mail's with an attachment and labelled it BEWARE. When I received a virus from a friend, the E-mail came to both Hotmail and Outlook Express accounts. This made me suspicious as she only uses one account normally. I too E-mailed the 'sender' but did not get a reply so I sent a letter. Her PC was ruined and the E-mail was only read after the thing was fixed.
I am new to PC's and try to take in all the info I read.
PS I have the update patch from MS but until I'm sure I have the correct updates I will still take precautions... better safe than sorry.

i know you guys have most likely encountered viruses, but html text can be written in the color white, so, an e-mail may appear blank when it actually contains white text that completely blends in with the background. and, of course, the more text the bigger the file.

Hi there,

The blank email with over 100K file size contained a embedded HTML virus/trojan. You must delete the UNREAD when it's over 100K in file size. I've been lot of large file sizes on my Hotmail and my own private email domain server. Hotmail didn't scanned a HTML virus. They're only scanning on the attachments.

That sounds plausible, DB, but I have opened several blank Hotmail messages over 100K, with no consequences whatsoever. No infection, no alert from my virus sheild, nothing. How can that be explained?

I wondered if my E-mail was written in white text, so I attempted to highlight it by dragging the pointer and holding left mouse button. Nothing showed.

Hi Brent,

try run housecall.antivirus.com online scanning on your puter.. if they found detected it..

DB- Even though I'm 100% certain that I have no viruses, I ran Housecall anyway, it found nothing. There have been several theories posted here, but I am still of the belief that Hotmail is stripping out everything but the header before it delivers the Klez-infected e-mail to me.

Brent,

Im concerned about hotmail inboxes, and I noticed anything over 100K in file size (without attachments), I always deleting the UNREAD box better than worry about it.

Well, any empty e-mail you see in Hotmail will probably be a virus under Outlook or Outlook Express, simply because it infects on execution or just by reading it. They are usually very large, over 90kbytes.

If youre using Hotmail, very lucky to you. If you read that under Outlook Express, good luck.

Does Yahoo! filter it also? I have opened an over 150k file that was blank, before I knew what it was. I scanned my computer, and even tryed one of those Klez fix utitlies (fixklez.com - filename) Now I delete every over 100k email that I'm not expecting. I just want to know if Yahoo! prevents this, like hotmail seems to.

Thanks