[pchelpers] Re: Why the Klez worm just won't go away
- From: "Tim H." <tekphobia@xxxxxxxxx>
- To: <pchelpers@xxxxxxxxxxxxx>
- Date: Wed, 24 Apr 2002 19:55:39 -0700
Hello,
Fortunately, I work in Symantec's Virus Removal labs. After removing
Klez.E/H all day, I was a bit hesitant to reply. The thing with Klez is that
it's network aware and thus can spread via open file shares. It also has its
own SMTP engine so checking Outlook's "Sent" folder will inevitably not show
any messages the worm has sent. I'm sure you guys know this, but many in a
lot of calls, people think otherwise.
With Klez.H, the infection of EXEs is greater than the previous incarnation
(.E). With Klez.E, we were able to do a manual removal, but with .H, it
infects PEs (EXEs) and thus will keep reinfecting the system. We (Symantec)
have an excellent removal tool that will remove Klez.E/H. If you follow the
instructions on the site about it, you won't see the step that says, "Reboot
into Safe Mode." So we get a lot of calls where people say they ran the tool
but it locks up. I ask, "Did you reboot into Safe Mode?" and they say, "No,
what's that?"
As for protection? NAV with the latest definitions will prevent Klez from
infecting your system. Microsoft also has a patch for Outlook to prevent it
from executing attachments because the MIME headers were spoofed.
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
I prefer your suggestion in abandoning Outlook. It has WAY too many holes
and Microsoft never seems to address the root of the problem.
As a side note. We've been getting a lot of calls about "Backdoor.Trojan"
being on their system. It always references the same files:
absr.exe
ausvc.exe
mnsvc.exe
bvt.exe
I would LOVE to get my hands on one of these files. So, if anyone gets a
warning about those or has one of those on their systems, I would be very
happy if you emailed it to me.
Regards,
Tim Hamel
----- Original Message -----
From: "Robert Weyer" <rweyer@xxxxxxxxx>
To: "pchelpers" <pchelpers@xxxxxxxxxxxxx>
Sent: Wednesday, April 24, 2002 3:14 PM
Subject: [pchelpers] Why the Klez worm just won't go away
> Content-Type: text/plain;
> charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
>
> Hi John
> Here is an interesting article. I have been hit twice lately. =
> Fortunately my software isolates, confines and ultimately destroys it. =
> But maybe the best solution is to abandon Outlook and all email programs =
> associated with it.
>
>
> http://www.zdnet.com/anchordesk/stories/story/0,10738,2862307,00.html
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.350 / Virus Database: 196 - Release Date: 4/17/2002
>
>
>
> -- Binary/unsupported file stripped by Ecartis --
> -- Type: text/x-vcard
> -- File: Robert Weyer.vcf
>
>
>
- Follow-Ups:
- References:
- [pchelpers] Why the Klez worm just won't go away
- From: Robert Weyer
Other related posts:
- » [pchelpers] Why the Klez worm just won't go away
- » [pchelpers] Re: Why the Klez worm just won't go away
- » [pchelpers] Re: Why the Klez worm just won't go away
- » [pchelpers] Re: Why the Klez worm just won't go away
- » [pchelpers] Re: Why the Klez worm just won't go away
- » [pchelpers] Re: Why the Klez worm just won't go away
- » [pchelpers] Re: Why the Klez worm just won't go away
- » [pchelpers] Re: Why the Klez worm just won't go away
- » [pchelpers] Re: Why the Klez worm just won't go away
- » [pchelpers] Re: Why the Klez worm just won't go away
- » [pchelpers] Re: Why the Klez worm just won't go away
- » [pchelpers] Re: Why the Klez worm just won't go away
- » [pchelpers] Re: Why the Klez worm just won't go away
- » [pchelpers] Re: Why the Klez worm just won't go away
- » [pchelpers] Re: Why the Klez worm just won't go away
- » [pchelpers] Re: Why the Klez worm just won't go away
- » [pchelpers] Re: Why the Klez worm just won't go away
- [pchelpers] Why the Klez worm just won't go away
- From: Robert Weyer