[e-drive][EQUIFLASH: VIRUS ALERT]

Kevin Patrick Robbins kprobbins at caea.com
Fri May 30 12:01:34 EDT 2003 

-------------------------------------------
 EQUIFLASH: VIRUS ALERT
-------------------------------------------

Our sincerest apologies.

Last night, shortly after 2 a.m. an email was sent to the Equity eDrive
list with sender "kaethe" from address containing the W32/Klez.h at MM
virus. The subject header reads "To Sign Up." The body contains no text.


Information on the virus can be found at the McAfee site here: 
http://vil.mcafee.com/dispVirus.asp?virus_k=99455

W32/Klez.h at MM has a number of similarities to previous W32/Klez
variants, for example:

* W32/Klez.h at MM makes use of Incorrect MIME Header Can Cause IE 
  to Execute E-mail Attachment vulnerability in Microsoft Internet 
  Explorer (ver 5.01 or 5.5 without SP2).
* the worm has the ability to spoof the From: field (often set to 
  an address found on the victim's machine).
* the worm attempts to unload several processes (antivirus 
  programs) from memory.


You can find instructions on how to remove the virus here:
http://vil.mcafee.com/dispVirus.asp?virus_k=99455#removal_instructions


This is a fairly common virus. Those of you with anti-virus software
would have noticed this right away and the anti-virus software would
have quarantined, cleaned or deleted the virus for you. Many of you may
not have even received the virus is your server or ISP has server-level
virus scanning of incoming emails.

We are currently investigating how this message made it to the mailing
list by checking our computers, networks and servers, and we have
contacting the company that hosts the list for details on its origin. 

However, given the virus' nature of spoofing email addresses found in
users' address books and given that the "From" field read "kaethe" in
all lowercase -- not the full name of "Kaethe Yanovsky" as it would
appear coming from our servers, we believe the virus did not originate
from our computers but the computer of a virus victim who has the list
email address stored in his or her address book.

The virus would have spoofed that email address and the email addresses
of all the other recipients in that user's address book and sent the
infected email to the list. Currently, the infected email also resides
in our online archive for the list and will infect your computer (unless
you have anti-virus software) if you access that page.

We are working to have that page removed from our archives and to make
the eDive list more secure from such attacks. While this seems to be an
inevitable pitfall of our times and the eDrive service, we apologize for
any and all inconveniences this may have caused you.

We ask that you check your address books and make sure that all emails
you intend to send to the eDive mailing list are directed exclusively to
"caea-l at list.web.net" and not any other address. We also recommend
updating the virus definitions of your anti-virus software and running a
complete system scan on your computer.

We thank those of you who have contacted us with your concerns and
appreciate the notice. Thank you all for your co-operation with this
matter.


Regards,

Kevin Patrick Robbins
Communications Director
Canadian Actors' Equity Association

More information about the caea-l mailing list