Not guilty! Klez fakes emails from anti-virus companies

April 26, 2002 Sophos Press Release

A number of customers have contacted Sophos technical support concerned that they may have received a virus via email from Sophos.

Sophos would like to reassure its customer base that we have not been infected or sent any viruses to our customers.

The recent W32/Klez-H worm uses its own SMTP engine, and can appear to have come from any email address. Some infected messages have a sender field and message text which imply that the message was sent by a major anti-virus vendor (the virus can use the names Kaspersky, F-Secure, Symantec and Trend Micro as well as Sophos).

Sophos Anti-Virus has been capable of protecting against W32/Klez-H, via detection of its earlier variant W32/Klez-G, since 7 February 2002.

Some customers have also reported receiving an unsolicited email apparently from Sophos claiming to contain disinfection tools for the W32/ElKern virus (the email mistakenly refers to the virus as "W32.Elkern"). These emails contain a copy of the W32/Klez-G worm and, again, do not originate from Sophos.

Sophos recommends that users do not open or launch unsolicited executable attachments and keep their anti-virus software updated.

Computer users are also advised to consider installing a patch from Microsoft which is reported to fix a vulnerability in some versions of Microsoft Outlook, Microsoft Outlook Express, and Internet Explorer. The vulnerability is exploited by W32/Klez-H and a number of other viruses.