Klez.H spread using faked F-Secure address!

Helsinki, Finland - May 2, 2002

Several customers have contacted us and reported receiving a virus warning in e-mail from us - and that the warning contained an attachment infected with the Klez virus.

Of course, F-Secure has not been infected by Klez and has not sent out any viruses. Instead, what is happening is that the Klez virus is sending faked messages which look like they are coming from various anti-virus vendors.

Klez is a large family of viruses and it is capable of sending several different types of messages. Some examples include:

   From: random-email-address
   Subject: W32.Elkern  removal tools


   W32.Elkern  is a  dangerous virus that can infect 
   on Win98/Me/2000/XP.
   F-Secure give you the W32.Elkern  removal tools
   For more information,please visit http://www.F-Secure.com


   Attachment: random file infected with Klez

or:


   From: random-email-address
   Subject: Worm Klez.E Immunity


   Klez.E is the most common world-wide spreading worm. It's very 
dangerous by corrupting your
   files. Because of its very smart stealth and 
anti-anti-virus technic,most common AV software can't
   detect or clean it.We developed this free immunity tool 
to defeat the malicious virus. You only need to
   run this tool once,and then Klez will never come into your PC. 
NOTE: Because this tool acts as a fake
   Klez to fool the real worm,some AV monitor maybe cry 
when you run it. If so,Ignore the warning,and
   select 'continue'. If you have any question,please mail to me.


   Attachment: random file infected with Klez

Delete such messages. Also note that typically the address of the sender is 
random, and does not belong to the user of the infected machine which 
really sent the messages (the real sender can often be found by analysing 
the message headers).

The author of the Klez worms is not targetting just F-Secure; the virus 
sends similar messages but uses other company names instead of ours. These 
include Sophos, Symantec, Mcafee, Trendmicro and Kaspersky.


More information from:

http://www.f-secure.com/v-descs/klez.shtml