Hi- at my workplace, we get our email through "Netscape Messenger," and we've been getting weird stuff. For instance, today we got a message that showed up as 119KB, but only contained a few lines of text:

"Hello,This is a special nice game
This game is my first work.
You're the first player.
I wish you would enjoy it."

Soon after we started getting messages like these, our network has been crashing on a regular basis. It seems like these jerks are sending us viruses... but no visible attachments are shown on their emails.

So,---> What are you supposed to do when this kind of thing happens?? Can you trace these people somehow (get their IP address somehow?) Is there, like, a phone number of some investigation company I can call?! Should we delete these evil messages, or save them to track down their senders?

THANKS!!!!!!!
-melissa

I personally am very suspicious of large e-mails,especially from unknown senders.As late as a few weeks ago I was getting them as large as 141kb's.I got about 6 that were 121kb's at the smallest.I deleted them all without opening any.The first thing you have to do is take care of the virus with a good anti-virus program.Tracing them,that has to be answered by someone with more knowledge on that subject.Regards.JB

Sorry, forgot to mention: we scanned ALL the computers with Norton Antivirus (very recent edition), and NO VIRUSES were detected... very strange hm?!

Netscape filtered the virus out of the email for you. That is one of the benefits of using Netscape or some other email accounts instead of Outlook/Express. It is also why the message only had a few lines. All the best!

ooh... that's nice to know! Thanks!)

(unless... they were super tricky and "hid" the virus! cause our comp's are still crashing inexplicably...)

HEy there- Did you make sure to run Live Update to update Norton AV before you ran the scan (Option in the upper left when you open Norton AV)? Furthermore make sure you run the scan not only on the personal computers but on the servers as well. If Norton AV finds nothing, you can rest assured you do not have a Virus on your system.
As for tracing the emails... dont waste your time, most often the viruses are sent by people who are not aware that they are sending out the virus until it is too late.
BILL

Tracing an email is a long and annoying process as most peoples don't run there own mail servers + the way the net is once you get a Ip, there a large jump between knowing they are doing somthing wrong and getting somthing leagly done about it :)

also, fyi... tried replying to these messages (getting several a day now!!!) and it's a FAKE email address (gets bounced back to me)... which makes me think these messages are coming DIRECTLY from the virus maker, and not from some unsuspecting person's inbox... would this make it more easily traceable? this is almost like harrassment, all these emails we're getting!

thanks everyone for your postings...:) will run LiveUpdate for sure...
melissa

The emails are from one of several viruses still going around. The From: address is generated by the virus, or taken from the infected computer's address book. The From: address is typically not the person with the infected computer.

If the latest version of Norton doesn't find it, you should be ok. If you're not using the very latest virus definitions, you should update them. If specific machines are crashing after receiving those email, I'd look at them extra carefully to make sure they're not infected.

Hey! U CaN get their IP address by looking @ the header of the email. You have to be able to view the header of the email in your mail client, so figure out how to do that and it will reveal all : )
[or atleast where the email is being sent from]

I guess most of you nice people are from USA
I'm from N.Ireland and I received an almost identical email 3 or 4 months ago in Outlook
Express.This is the wording on my email,

"Hi,This is a excite game
This game is my first work
You're the first player
I expect you would like it."

I didn't hang around long enough to see where it was from. I got it safely deleted
But it stuck out a mile from my normal mail.
It just seemed so amature I knew it was trouble. Its a coincidence it should appear
so long after I got mine.

Forgot to mention;

From:Cile

Subject; A very excite game.

Add to above post.

hello did you say netscape filters that viruses??...lol ok...whatever.

Netscape filtered the virus?? wtf?? ...rofl...

ok, now... Checking the message headers of the email is the best place to start. They seem a little intense but read them bottom to top and it all falls into place.

However, usually someone that writes virii knows how to spoof IP's or at least sends the emails from a public computer or they may even aquire another computer on the network to do their dirty work.

And, further still... even if you do find out who is doing this, the chances of you getting the ISP do anything about it are slim to none.

Oh... one last thing. Because NAV doesn't think a file is a virus doesn't mean that it is not a virus. Norton is very quick to add virii to their definitions list, but they can't know everything. A virus has to be widespread enough to get reported and found out before it is applied to the next update. Just a little food for thought.

It looks like you either got the KLEZ virus or it is being stripped from your e-mails by your e-mail system. Klez does come with a destructive payload. If you start seeing problems with your AV software this could be a red flag as to something being wrong. The subject matter you listed as being in the e-mails is known to be used by KLEZ:

Hello,This is a special nice game
This game is my first work.
You're the first player.
I wish you would enjoy it

There are numerous variations on the KLEZ virus, and it is pratically impossible to trace. I know I have spent hours trying. Even down to using triangulation methods.

Underdog

Wow! Thanks. I didn't realise I was that close to disaster. Got off lightly then.

I recieved a similar email today that did have 2 attachments one which scaned with the klez virus I'm trying to find out who to report it to, can anyone help on this

Hope this help.

VIRUS ALERT

UPDATE on KLEZ.H
THE WORM THAT KEEPS ON COMING

April 25, 2002

On April 18, we broadcast a virus alert concerning the Klez.H worm. Since our initial broadcast, anti-virus vendors and the media have reported new developments concerning the worm. We've also noticed continued interest and some confusion about Klez among WatchGuard customers. Below are a few newly reported developments and key points you should be aware of.

KLEZ EXECUTES UNDER SEVERAL EXTENSIONS
In our original alert we recommended Firebox users strip .EXE files
using the SMTP proxy. Since then, sources such as Symantec

and TrendMicro
have updated their Klez.H coverage (on the 22nd and 24th, respectively), reporting that Klez.H might also arrive within an infected .BAT, .PIF or .SCR file. If you have read past alerts, you know these file types are commonly used to spread viruses, and you may already be stripping them at the firewall using the SMTP proxy. If you are not already stripping these file types, we recommend you apply the directions in our original Klez.H alert (found under Solution Path / For Firebox Users)
to these three newly discovered file types.
Note that if your network uses other protocols for e-mail delivery other than SMTP (for example, POP3), Klez could find its way onto your network without the SMTP proxy getting the chance to strip the executable attachment.
For general background on how viruses you think you've blocked can get into your network, see the LiveSecurity editorial, "How Those Sneaky E-mails Get In" .

KLEZ FORWARDS RANDOM FILES
Since our original alert, experts have found that Klez.H sometimes attaches a random file from your hard drive into the infected e-mail it sends from your machine. Thus, a Klez.H- infected e-mail will include two attachments. One is the infected .EXE, .BAT, .PIF or .SCR file, and the second is some random file from the sender's computer. Although this second file is not infected by the worm, it could contain sensitive information the sender does not intend you to see. If you are infected with Klez.H, know that it could send sensitive documents to your e-mail contacts. This ZDnet story includes details on this aspect of Klez.H.

KLEZ FORGES "FROM" AND "TO" E-MAIL HEADERS
We mentioned in our original alert that Klez.H will forge the "From:" header with a random e-mail address it finds on the infected PC. This means that if you receive the Klez.H worm, the person it appears to be from is not really the person who sent it. Many professionals are worried that this worm will harm their reputation since their clients might see their e-mail address as the sender. If you receive Klez.H e-mails, keep in mind it is not really coming from the sender you see in the e-mail header. Finally, if you are accused of sending the Klez.H worm you could send your accuser this article from Wired in order to clear up the misunderstanding.
If you want general information on how attackers forge an e-mail
header, see the LiveSecurity editorials, "Understanding and Stopping
Spam," Part 1
and Part 2 .

UPDATES HELP DEFEAT KLEZ
We often recommend that you keep current with patches and updates to be sure you are protected from new security threats. With the Klez.H worm, patching Internet Explorer lessens the scope of the worm, and having the latest anti-virus definitions prevents the worm outright. This advice also applies to your Firebox. Firebox users should have v5.0 with service pack 1 installed to get the best protection the Firebox has to offer.
For complete details on the Klez.H worm, please refer to our original virus alert.

------------------------
FEEDBACK: Did this alert help you do your job? Is there a topic you wish our experts would write an article about? Let us know by e-mailing lsseditor@watchguard.com.

For other helpful articles, log into the LiveSecurity Archive .

--------------------------
UNSUBSCRIBE: You received this e-mail because you subscribed to the WatchGuard LiveSecurity Service, which advises about virus alerts, security best practices, new hacking exploits, and more. To stop receiving future e-mails, or to change which e-mail address receives this content, please log in at https://www3.watchguard.com/archive/preferences.asp.
For technical support, visit https://support.watchguard.com/incidents/NewIncident.asp or call 1-877-232-3531.