[pchelpers] Re: Why the Klez worm just won't go away
- From: john.ford1@xxxxxxx
- To: pchelpers@xxxxxxxxxxxxx
- Date: Thu, 25 Apr 2002 22:41:48 +0000
Ellen,
Thanks for the info. I have read much about this
particular virus. It has many different strains and it
is now changing itself to be another version of itself.
You may think you have to gone, but it rears its ugly
head again as a twin of itself.
John F
>
> here's a couple of URLs on the Klez
> http://antivirus.about.com/library/weekly/aa042502a.htm
> Where From Art Thou? Klez spoofing more than just annoying Related Resources
> ?
> Klez.H
> ? Klez.E
> ? Virus Encyclopedia
> ? Glossary of terms
>
> Elsewhere on the Web ? F-Secure Description
> ? MessageLabs ThreatList
>
>
> While any virus can be problematic, either deliberately or unintentionally,
> the
> latest Klez variants use a variety of insidious tactics designed to give even
> the most patient a massive headache. Klez not only has a penchant for lifting
> legitimate user files from the system and sending them out with the infected
> mail - thereby potentially compromising sensitive data - it can also spoof
> the
> From address on the email, making it appear the virus is being sent from a
> completely innocent and uninfected person. One reader reports having received
> 9
> different Klez emails in a single night, all with different From addresses.
> Only > a careful examination of the email headers revealed the sender's true
> identity.
> Others report receiving bounced messages from various ISP's, informing them
> that
> a message they sent was rejected due to its carrying the Klez virus. The
> problem, of course, is that these individuals never sent the message nor did
> it
> originate from their machine. The virus had simply found their email address
> on
> the infected user's machine and inserted it in the From field.
> Paul Schmehl, Supervisor of Support Services at the University of Texas at
> Dallas, finds the Klez spoofing has created a support burden they don't
> normally
> encounter. Paul notes, "Because the Klez virus forges the From: address, it
> has
> created quite a stir on our campus. We don't normally see many infections
> here,
> so our users aren't accustomed to receiving the automatic notifications that
> come with a virus infection. Now they're calling our Help Desk and deluging
> me
> with email wanting to know how they got infected. It seems the cure is almost
> > worse than the disease.".
> The volume of email spawned by a Klez infection is also dramatic. Vincent
> Weafer, senior director of Symantec Corp.'s security response center,
> cautions
> that the Klez worm, "will send itself a few at a time and it will send itself
> again after rebooting the machine, in other words, every time the worm is
> executed it will e-mail itself." Thus, not only are innocent persons being
> accused of spreading the worm, chances are they will be victimized by this
> spoofing over and over again.
> This also poses a dilemma for folks who try to email those from whom they've
> received a virus. Typically, it's a simple matter of clicking reply and
> typing
> in a brief note letting the person know they are infected and providing links
> for assistance. With Klez, hitting reply won't work - the sender may not be
> the
> one in the From field. Instead, view the source of the message and double
> check
> the sender in the header itself. For example, in Outlook Express, source and
> > headers can be viewed by right-clicking the message, choosing properties,
> and
> then clicking the Details tab.
> Other tricks up Klez's sleeve, besides confidentiality breaches and spoofing,
> include masquerading as a fix for a previous Klez variant, exploiting a
> vulnerability that allows the attachment to be automatically executed when
> the
> email is read, and using a doube extension ruse to fool users into thinking
> the
> attachment is a benign file type. The Klez Help Center provides further
> information on Klez, including how to protect against it and where to get
> free
> removal tools.
>
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
>
> http://www.cnet.com/software/0-7760531-8-9771774-1.html
>
> CNET : Software : Virus alert : Klez.h
>
> Klez.h worm continues to spread
> By Robert Vamosi
> Worm carries the Elkern.c virus which can infect executable files on all
> Windows
> platforms.
> (4/23/02)
> Another member of the Klez worm family is spreading fast across the Internet.
> > Klez.h (w32.klez.h@mm, also known as Klez.g and Klez.k) is a significant
> variation of existing worms Klez.e and Klez.a. Klez.h has evolved
> dramatically
> enough to be able to slip past recent antivirus signature files on some PCs.
> A
> few users will need to update their antivirus signature files to specifically
> include Klez.h. Because of its rapid spread, Klez.h rates a 6 on the CNET
> Virus
> Meter.
> How it works
> Klez.h arrives as e-mail with a subject line that contains 1 of approximately
> 120 phrases, such as:
> Re: A WinXP patch
> Undeliverable mail--"(random)"
> Returned mail--"(random)"
> (random)(random) game
> (random) (random) tool
> (random) (random) website
> (random) (random) patch
> (random) removal tools
> how are you
> let's be friends
> darling
>
> Some of the random words above are specific antivirus software vendor names
> or
> virus-specific names. The body text of the infected e-mail also has many
> variations and may include one of the following:
> This is a special humour game
> This is my first work.
> Your're the first player.
> I would expect you would enjoy it (virus name) is a dangerous virus that
> spread
> through email. (Antivirus vendor) give you the (virus name) removal tools.
> For
> more information, please visit http://www.(antivirus vendor).com
> Once active on a PC, Klez.h bypasses installed e-mail software by using its
> own
> SMTP server to send infected copies of itself. To locate addresses, the worm
> searches files on the hard drive, looking for various file extensions that
> may
> contain e-mail addresses. On networked drives, Klez.h will simply copy itself
> to
> remote disk drives by creating a random filename, then adding an .exe, .pif,
> .com, .bat, or .scr extension.
> Like several other recent worms, Klez.h attempts to disable antivirus
> software
> installed on the infected computer. For more details regarding the original
> Klez
> worm, see this alert; for details on the previous variation Klez.E, see this
> alert.
> Klez.h contains an upgraded version of the Elkern virus. Elkern.c
> (w32.elkern.c) > runs under Windows 98, Me, 2000, and XP. Elkern.c adds a
> hidden file, wqk.exe,
> to Registry entry HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WQK,
> which
> is in Windows 98 and Me. Under Windows 2000 and XP, it adds wqk.dll to
> Registry
> key HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Windows\AppInit_DLLs.
> These
> files are added so that Elkern.c runs anytime Windows is run. Elkern.c can
> corrupt files without changing their size.
> Prevention
> Klez.h uses a well-known vulnerability in Outlook Express that is included in
> versions of Internet Explorer 5.01 and 5.5. Microsoft has previously released
> a
> patch for this. Users who have not loaded the patch are encouraged to do so
> or
> to upgrade to Internet Explorer 6 using the full installation setting.
> Removal
> All antivirus software companies have updated their signature files to
> include
> Klez.h. This will stop the infection upon contact and in some cases
> additional
> tools are available to help you remove an active infection from your system.
> For > more information, see Central Command, Computer Associates, F-Secure,
> Kaspersky,McAfee, Norman, Panda, Sophos, Symantec, and Trend Micro.
>
>
>
> Cheers,
> Ellen M.
>
>
> ---------------------------------
> Do You Yahoo!?
> Yahoo! Games - play chess, backgammon, pool and more
>
>
Other related posts: