Norton 2000 and KLEZ

Greetings all! About two weeks ago I forwarded a suspicious email from my Yahoo account to my ISP email account so I could scan for a virus. At the time, I did not have Norton set up to scan incoming mail and saved the attached msg normally. The few times I've been hit with a mail born virus, Norton has issued a virus "alert" and you delete or quarantine and go on your merry way. However, when I right clicked and scanned this attachment, Norton said I was "INFECTED".  I closed the scan and deleted the saved file, but klez had rendered part of Norton useless. I have reinstalled Norton 2000 and independent online scans have declared my pc clean.

I have always assumed one could save(not open!) an attachment and scan with an AV safely, but my confidence in this practice is really shaken now.

I would appreciate your thoughts.

Regards,

Morgan Cason

 

Hi.

From http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.e@mm.html#technicaldetails :

If the message is opened in an unpatched version of Microsoft Outlook or Outlook Express, the attachment may be automatically executed. Information about this vulnerability and a patch are available at

http://www.microsoft.com/technet/security/bulletin/MS01-020.asp

So as you wil understand, applying this patch is of the utmost importance.

 

Hello and thank you for the reply. I should have gone into more detail. I use Calypso for email with no preview pane and HTML is turned off.

Funny thing is Yahoo does not show an attachment. I forwarded the mail as an attachment and saved it from Calypso.

Regards,

Morgan Cason

 

I'm ready to answer my own question.......I think. No, under some circumstances it is not safe to even save a file for virus scanning, at least where said virus is klez and said AV is Norton 2000. From now on Morgan, if you wish to keep Norton 2000, have it scan all incoming mail and maybe use F-Prot for DOS as a good "on demand" scanner. Also the common sense stuff....keep virus defs up to date and by all means, practice "safe hex" annnnnnnnnnnd the next time you want to help somebody figure out a virus by saving one to your own PC, DON'T DO IT.
Thanks Morgan
U R Welcome Morgan
Cheers, all.

 

lol! Morgan, you've got a great sense of humor, I'll give you that!

"At the time, I did not have Norton set up to scan incoming mail and saved the attached msg normally."

That, coupled with the fact that perhaps your defs weren't up-to-date, is probably what caused the problem then.

If no one's already said so - welcome to the forum! See how much you've learned here already?    Pete

 

Hello Paul and Pete! Thanks for the replies and information.

Paul, I look forward to the test results of vSweeper.

Pete, my virus defs are always up to date. I have found in different newsgroups that a lot of people like me think that one can save (NOT OPEN!) an attachment and then scan the attachment.......thinking the worst that can happen is the attachment is infected and your AV can delete or quarantine or repair...etc ....the bad file and then you go on to the next whatever.

My point is that I feel Norton did not protect me by giving me an "alert", but told me I was screwed and "infected", this without me opening the attachment and only saving it.

Whew! All this hunt and peck makes me thirsty. I think I'll head down to the pub.

Bye for now and I wish you guys well.

Morgan Cason