RE: Email problem

  • From: carlos@xxxxxxxxxx
  • To: exchangelist@xxxxxxxxxxxxx
  • Date: Thu, 9 May 2002 10:33:22 -0600

Taken from Mcafeeasap.com. It sounds like klex virus, several hits in the
last couple of weeks.

AVERT has raised the risk assessment of this threat to Medium after seeing
an increase in prevalence over the past 24 hours. Home users are at a
greater risk of infection, as they tend to update their DATs less
frequently then corporations. As such, the risk of becoming infected in a
corporate environment is lower.

This latest W32/Klez variant is already detected as W32/Klez.gen@MM by
McAfee products using the 4182 DATs (23 January 2002) or greater.

W32/Klez.h@MM has a number of similarities to previous W32/Klez variants,
for example:

W32/Klez.h@MM makes use of Incorrect MIME Header Can Cause IE to Execute
E-mail Attachment vulnerability in Microsoft Internet Explorer (ver 5.01
or 5.5 without SP2).
the worm has the ability to spoof the From: field (often set to an address
found on the victim machine).
the worm attempts to unload several processes (antivirus programs) from
memory. Including those containing the following strings:
_AVP32 
_AVPCC 
NOD32 
NPSSVC 
NRESQ32 
NSCHED32 
NSCHEDNT 
NSPLUGIN 
NAV 
NAVAPSVC 
NAVAPW32 
NAVLU32 
NAVRUNR 
NAVW32 
_AVPM 
ALERTSVC 
AMON 
AVP32 
AVPCC 
AVPM 
N32SCANW 
NAVWNT 
ANTIVIR 
AVPUPD 
AVGCTRL 
AVWIN95 
SCAN32 
VSHWIN32 
F-STOPW 
F-PROT95 
ACKWIN32 
VETTRAY 
VET95 
SWEEP95 
PCCWIN98 
IOMON98 
AVPTC 
AVE32 
AVCONSOL 
FP-WIN 
DVP95 
F-AGNT95 
CLAW95 
NVC95 
SCAN 
VIRUS 
LOCKDOWN2000 
Norton 
Mcafee 
Antivir 
The worm is able to propagate over the network by copying itself to
network shares (assuming sufficient permissions exist). Target filenames
are chosen randomly, and can have single or double file extensions. For
example:
  350.bak.scr 
  bootlog.jpg 
  user.xls.exe 

The worm may also copy itself into RAR archives, for example: 
  HREF.mpeg.rar 
  HREF.txt.rar 
  lmbtt.pas.rar 

The worm mails itself to email addresses in the Windows Address Book, plus
addresses extracted from files on the victim machine. It arrives in an
email message whose subject and body is composed from a pool of strings
carried within the virus (the virus can also add other strings obtained
from the local machine). For example:

Subject: A very funny website 
or Subject: 1996 Microsoft Corporation 
or Subject: Hello,honey 
or Subject: Initing esdi 
or Subject: Editor of PC Magazine. 
or Subject: Some questions 
or Subject: Telephone number 

The file attachment name is again generated randomly, and ends with a
.exe, .scr, .pif, or .bat extension, for example:
  ALIGN.pif 
  User.bat 
  line.bat 

Thanks to the use of the exploit described above, simply opening or
previewing the message in a vulnerable mail client can result in infection
of the victim machine.

W32/Klez.h@MM masquerades as a free immunity tool in at least one of the
messages used. Below is the message sent by the virus itself.

Subject: Worm Klez.E Immunity 
Body: Klez.E is the most common world-wide spreading worm. It's very
dangerous by corrupting your files. Because of its very smart stealth and
anti-anti-virus technic,most common AV software can't detect or clean
it.We developed this free immunity tool to defeat the malicious virus. You
only need to run this tool once,and then Klez will never come into your
PC.

NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV
monitor maybe cry when you run it. If so,Ignore the warning,and select
'continue'. If you have any question,please mail to me.
 
The worm may send a clean document in addition to an infected file. A
document found on the hard disk, that contains one of the following
extensions, is sent:

.txt 
.htm 
.html 
.wab 
.asp 
.doc 
.rtf 
.xls 
.jpg 
.cpp 
.c 
.pas 
.mpg 
.mpeg 
.bak 
.mp3 
.pdf 
This payload can result in confidental information being sent to others.
  
Indications Of Infection
 

Randomly/oddly named files on network shares, as described above. 
Reference to a WINKxxx.EXE file ("xxx" looks random) in a Registry key: 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 
  
Removal Instructions
 
Use current engine and DAT files for detection. 

Once infected, VirusScan may not be able to run as the virus can terminate
the process before any scanning/removal is accomplished. The following
steps will circumvent this action and allow for proper VirusScan
scanning/removal, by using the command-line scanner.

Ensure that you are using the minimum DAT specified or higher. 
Close all running applications 
Disconnect the system from the network 
Go to a command prompt, then change to the VirusScan engine directory:
Win9x/ME - Click START | RUN, type command and hit ENTER. 
Type cd \progra~1\common~1\networ~1\viruss~1\40~1.xx and hit ENTER 
WinNT/2K/XP - Click START | RUN, type cmd and hit ENTER. 
Type cd \progra~1\common~1\networ~1\viruss~1\4.0.xx and hit ENTER
Rename SCAN.EXE to CLEAN.EXE to prevent the virus from terminating the
process and deleting files. Type, ren scan.exe clean.exe and hit ENTER
First, scan the system directory 
Win9x/ME - Type clean.exe %windir%\system\win*.exe and hit ENTER 
WinNT/2K/XP - Type clean.exe %windir%\system32\win*.exe and hit ENTER 
Once the scan has completed, Type clean.exe /adl /clean and hit ENTER 
Rename scan.exe. Type, ren clean.exe scan.exe and hit ENTER 
After scanning and removal is complete, reboot the system 
Apply Internet Explorer patch if necessary. 

Additional Windows ME/XP removal considerations 


Other related posts: