Hey gang - has anyone else been noticing increased activity of the W32.Klez.E virus on their servers?

We're currently cycling around 10 infected mails per user a day. Quite frankly I'm at a loss as to how to rectify this, and I'm looking for some help. If anyone knows of a good server side solution I'm all ears.

Dwight
swcombine.com

What are the file extensions of the virus?

is a world situation.....bad situation
I receiv 50 virus in a day....
is a virus like NIMBA and BADTRANS (write so?? smile.gif )

hello

If you guys know the exact name of the files they use like cmd.exe and root.exe we can put them in our router which will block them. As of now we are blocking the following:

cmd.exe
root.exe
readme.eml
ida
200).exe
4t[1].scr
NAME.exe

Unfortunately the virus seems capable of renaming the executables it uses to infect. We've seen everything from cmd.exe to fuzzybunny.com. Rest assured anyone opening a file called fuzzybunny deserves to be infected smile.gif

I'm not sure that blocking file names will solve this one :(

unfortunately thats all that can be done. Most of the time viruses dont rename themselves so it works great.

Well I just got this one 2 days ago:

<BLOCKQUOTE>quote:</font><HR>Klez.E is the most common world-wide spreading worm.It's very dangerous by corrupting your files.
Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it.
We developed this free immunity tool to defeat the malicious virus.
You only need to run this tool once,and then Klez will never come into your PC.
NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV monitor maybe cry when you run it.
If so,Ignore the warning,and select 'continue'.
If you have any question,please mail to me.<HR></BLOCKQUOTE>

It contained the worm, though funnily in Netscape Messenger 6 you can't even see the attachment, only if you view the source code of the mail (one of these days people should realize worms spread not becuz of the hackers who write them but becuz of M$ who puts OE on all computers by default but can't even make it work).

Anyway, I forwarded the mail to a buddy of mine so that he has a good laugh, but it bounced with the message

<BLOCKQUOTE>quote:</font><HR>The mail attachment (file: height.scr) you sent to ******@ieee.org contains a virus (WORM_KLEZ.H). The attachment has been DELETED. Please clean and re-send. (InterScan on ieee.org)<HR></BLOCKQUOTE>

It might make sense to ask those guys how they block the stuff, they might know of a method that doesn't depend on knowing the filename.