[pchelpers] Re: Why the Klez worm just won't go away

here's a couple of URLs on the Klez
http://antivirus.about.com/library/weekly/aa042502a.htm
Where From Art Thou? Klez spoofing more than just annoying  Related Resources ? 
Klez.H
? Klez.E
? Virus Encyclopedia
? Glossary of terms
 
 Elsewhere on the Web ? F-Secure Description
? MessageLabs ThreatList
 

While any virus can be problematic, either deliberately or unintentionally, the 
latest Klez variants use a variety of insidious tactics designed to give even 
the most patient a massive headache. Klez not only has a penchant for lifting 
legitimate user files from the system and sending them out with the infected 
mail - thereby potentially compromising sensitive data - it can also spoof the 
From address on the email, making it appear the virus is being sent from a 
completely innocent and uninfected person. One reader reports having received 9 
different Klez emails in a single night, all with different From addresses. 
Only a careful examination of the email headers revealed the sender's true 
identity. Others report receiving bounced messages from various ISP's, 
informing them that a message they sent was rejected due to its carrying the 
Klez virus. The problem, of course, is that these individuals never sent the 
message nor did it originate from their machine. The virus had simply found 
their email address on the infected user's machine and inserted it in the From 
field. 
Paul Schmehl, Supervisor of Support Services at the University of Texas at 
Dallas, finds the Klez spoofing has created a support burden they don't 
normally encounter. Paul notes, "Because the Klez virus forges the From: 
address, it has created quite a stir on our campus. We don't normally see many 
infections here, so our users aren't accustomed to receiving the automatic 
notifications that come with a virus infection. Now they're calling our Help 
Desk and deluging me with email wanting to know how they got infected. It seems 
the cure is almost worse than the disease.". 
The volume of email spawned by a Klez infection is also dramatic. Vincent 
Weafer, senior director of Symantec Corp.'s security response center, cautions 
that the Klez worm, "will send itself a few at a time and it will send itself 
again after rebooting the machine, in other words, every time the worm is 
executed it will e-mail itself." Thus, not only are innocent persons being 
accused of spreading the worm, chances are they will be victimized by this 
spoofing over and over again. 
This also poses a dilemma for folks who try to email those from whom they've 
received a virus. Typically, it's a simple matter of clicking reply and typing 
in a brief note letting the person know they are infected and providing links 
for assistance. With Klez, hitting reply won't work - the sender may not be the 
one in the From field. Instead, view the source of the message and double check 
the sender in the header itself. For example, in Outlook Express, source and 
headers can be viewed by right-clicking the message, choosing properties, and 
then clicking the Details tab. 
Other tricks up Klez's sleeve, besides confidentiality breaches and spoofing, 
include masquerading as a fix for a previous Klez variant, exploiting a 
vulnerability that allows the attachment to be automatically executed when the 
email is read, and using a doube extension ruse to fool users into thinking the 
attachment is a benign file type. The Klez Help Center provides further 
information on Klez, including how to protect against it and where to get free 
removal tools. 

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

http://www.cnet.com/software/0-7760531-8-9771774-1.html

  CNET : Software : Virus alert : Klez.h 

Klez.h worm continues to spread
By Robert Vamosi 
Worm carries the Elkern.c virus which can infect executable files on all 
Windows platforms. 
(4/23/02) 
Another member of the Klez worm family is spreading fast across the Internet. 
Klez.h (w32.klez.h@mm, also known as Klez.g and Klez.k) is a significant 
variation of existing worms Klez.e and Klez.a. Klez.h has evolved dramatically 
enough to be able to slip past recent antivirus signature files on some PCs. A 
few users will need to update their antivirus signature files to specifically 
include Klez.h. Because of its rapid spread, Klez.h rates a 6 on the CNET Virus 
Meter. 
How it works
Klez.h arrives as e-mail with a subject line that contains 1 of approximately 
120 phrases, such as: 
Re: A WinXP patch
Undeliverable mail--"(random)" 
Returned mail--"(random)" 
(random)(random) game
(random) (random) tool
(random) (random) website
(random) (random) patch
(random) removal tools
how are you
let's be friends
darling

Some of the random words above are specific antivirus software vendor names or 
virus-specific names. The body text of the infected e-mail also has many 
variations and may include one of the following: 
This is a special humour game
This is my first work. 
Your're the first player.
I would expect you would enjoy it (virus name) is a dangerous virus that spread 
through email. (Antivirus vendor) give you the (virus name) removal tools. For 
more information, please visit http://www.(antivirus vendor).com 
Once active on a PC, Klez.h bypasses installed e-mail software by using its own 
SMTP server to send infected copies of itself. To locate addresses, the worm 
searches files on the hard drive, looking for various file extensions that may 
contain e-mail addresses. On networked drives, Klez.h will simply copy itself 
to remote disk drives by creating a random filename, then adding an .exe, .pif, 
.com, .bat, or .scr extension. 
Like several other recent worms, Klez.h attempts to disable antivirus software 
installed on the infected computer. For more details regarding the original 
Klez worm, see this alert; for details on the previous variation Klez.E, see 
this alert. 
Klez.h contains an upgraded version of the Elkern virus. Elkern.c 
(w32.elkern.c) runs under Windows 98, Me, 2000, and XP. Elkern.c adds a hidden 
file, wqk.exe, to Registry entry 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WQK, which is in Windows 98 
and Me. Under Windows 2000 and XP, it adds wqk.dll to Registry key 
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Windows\AppInit_DLLs. These 
files are added so that Elkern.c runs anytime Windows is run. Elkern.c can 
corrupt files without changing their size. 
Prevention
Klez.h uses a well-known vulnerability in Outlook Express that is included in 
versions of Internet Explorer 5.01 and 5.5. Microsoft has previously released a 
patch for this. Users who have not loaded the patch are encouraged to do so or 
to upgrade to Internet Explorer 6 using the full installation setting. 
Removal
All antivirus software companies have updated their signature files to include 
Klez.h. This will stop the infection upon contact and in some cases additional 
tools are available to help you remove an active infection from your system. 
For more information, see Central Command, Computer Associates, F-Secure, 
Kaspersky,McAfee, Norman, Panda, Sophos, Symantec, and Trend Micro. 



Cheers,
Ellen M.


---------------------------------
Do You Yahoo!?
Yahoo! Games - play chess, backgammon, pool and more

Other related posts: