[pchelpers] Re: Why the Klez worm just won't go away

Excellent information, thanks.

Ellen M wrote:
> 
> here's a couple of URLs on the Klez
> http://antivirus.about.com/library/weekly/aa042502a.htm
> Where From Art Thou? Klez spoofing more than just annoying  Related
> Resources ? Klez.H
> ? Klez.E
> ? Virus Encyclopedia
> ? Glossary of terms
> 
>  Elsewhere on the Web ? F-Secure Description
> ? MessageLabs ThreatList
> 
> 
> While any virus can be problematic, either deliberately or
> unintentionally, the latest Klez variants use a variety of insidious
> tactics designed to give even the most patient a massive headache.
> Klez not only has a penchant for lifting legitimate user files from
> the system and sending them out with the infected mail - thereby
> potentially compromising sensitive data - it can also spoof the From
> address on the email, making it appear the virus is being sent from a
> completely innocent and uninfected person. One reader reports having
> received 9 different Klez emails in a single night, all with different
> From addresses. Only a careful examination of the email headers
> revealed the sender's true identity. Others report receiving bounced
> messages from various ISP's, informing them that a message they sent
> was rejected due to its carrying the Klez virus. The problem, of
> course, is that these individuals never sent the message nor did it
> originate from their machine. The virus had simply found their email
> address on the infected user's machine and inserted it in the From
> field.
> Paul Schmehl, Supervisor of Support Services at the University of
> Texas at Dallas, finds the Klez spoofing has created a support burden
> they don't normally encounter. Paul notes, "Because the Klez virus
> forges the From: address, it has created quite a stir on our campus.
> We don't normally see many infections here, so our users aren't
> accustomed to receiving the automatic notifications that come with a
> virus infection. Now they're calling our Help Desk and deluging me
> with email wanting to know how they got infected. It seems the cure is
> almost worse than the disease.".
> The volume of email spawned by a Klez infection is also dramatic.
> Vincent Weafer, senior director of Symantec Corp.'s security response
> center, cautions that the Klez worm, "will send itself a few at a time
> and it will send itself again after rebooting the machine, in other
> words, every time the worm is executed it will e-mail itself." Thus,
> not only are innocent persons being accused of spreading the worm,
> chances are they will be victimized by this spoofing over and over
> again.
> This also poses a dilemma for folks who try to email those from whom
> they've received a virus. Typically, it's a simple matter of clicking
> reply and typing in a brief note letting the person know they are
> infected and providing links for assistance. With Klez, hitting reply
> won't work - the sender may not be the one in the From field. Instead,
> view the source of the message and double check the sender in the
> header itself. For example, in Outlook Express, source and headers can
> be viewed by right-clicking the message, choosing properties, and then
> clicking the Details tab.
> Other tricks up Klez's sleeve, besides confidentiality breaches and
> spoofing, include masquerading as a fix for a previous Klez variant,
> exploiting a vulnerability that allows the attachment to be
> automatically executed when the email is read, and using a doube
> extension ruse to fool users into thinking the attachment is a benign
> file type. The Klez Help Center provides further information on Klez,
> including how to protect against it and where to get free removal
> tools.
> 
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> 
> http://www.cnet.com/software/0-7760531-8-9771774-1.html
> 
>   CNET : Software : Virus alert : Klez.h
> 
> Klez.h worm continues to spread
> By Robert Vamosi
> Worm carries the Elkern.c virus which can infect executable files on
> all Windows platforms.
> (4/23/02)
> Another member of the Klez worm family is spreading fast across the
> Internet. Klez.h (w32.klez.h@mm, also known as Klez.g and Klez.k) is a
> significant variation of existing worms Klez.e and Klez.a. Klez.h has
> evolved dramatically enough to be able to slip past recent antivirus
> signature files on some PCs. A few users will need to update their
> antivirus signature files to specifically include Klez.h. Because of
> its rapid spread, Klez.h rates a 6 on the CNET Virus Meter.
> How it works
> Klez.h arrives as e-mail with a subject line that contains 1 of
> approximately 120 phrases, such as:
> Re: A WinXP patch
> Undeliverable mail--"(random)"
> Returned mail--"(random)"
> (random)(random) game
> (random) (random) tool
> (random) (random) website
> (random) (random) patch
> (random) removal tools
> how are you
> let's be friends
> darling
> 
> Some of the random words above are specific antivirus software vendor
> names or virus-specific names. The body text of the infected e-mail
> also has many variations and may include one of the following:
> This is a special humour game
> This is my first work.
> Your're the first player.
> I would expect you would enjoy it (virus name) is a dangerous virus
> that spread through email. (Antivirus vendor) give you the (virus
> name) removal tools. For more information, please visit
> http://www.(antivirus vendor).com
> Once active on a PC, Klez.h bypasses installed e-mail software by
> using its own SMTP server to send infected copies of itself. To locate
> addresses, the worm searches files on the hard drive, looking for
> various file extensions that may contain e-mail addresses. On
> networked drives, Klez.h will simply copy itself to remote disk drives
> by creating a random filename, then adding an .exe, .pif, .com, .bat,
> or .scr extension.
> Like several other recent worms, Klez.h attempts to disable antivirus
> software installed on the infected computer. For more details
> regarding the original Klez worm, see this alert; for details on the
> previous variation Klez.E, see this alert.
> Klez.h contains an upgraded version of the Elkern virus. Elkern.c
> (w32.elkern.c) runs under Windows 98, Me, 2000, and XP. Elkern.c adds
> a hidden file, wqk.exe, to Registry entry
> HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WQK, which is in
> Windows 98 and Me. Under Windows 2000 and XP, it adds wqk.dll to
> Registry key
> HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Windows\AppInit_DLLs.
> These files are added so that Elkern.c runs anytime Windows is run.
> Elkern.c can corrupt files without changing their size.
> Prevention
> Klez.h uses a well-known vulnerability in Outlook Express that is
> included in versions of Internet Explorer 5.01 and 5.5. Microsoft has
> previously released a patch for this. Users who have not loaded the
> patch are encouraged to do so or to upgrade to Internet Explorer 6
> using the full installation setting.
> Removal
> All antivirus software companies have updated their signature files to
> include Klez.h. This will stop the infection upon contact and in some
> cases additional tools are available to help you remove an active
> infection from your system. For more information, see Central Command,
> Computer Associates, F-Secure, Kaspersky,McAfee, Norman, Panda,
> Sophos, Symantec, and Trend Micro.
> 
> Cheers,
> Ellen M.
> 
> ---------------------------------
> Do You Yahoo!?
> Yahoo! Games - play chess, backgammon, pool and more

-- 
Regards, John Durham <mailto:modec@xxxxxxxxxxxxxx >
ICQ number 112663246
Fax/Phone 64 4 5286786
Award winning web site at http://modecideas.com?sig
Order my latest e-book at http://modecideas.com/dmaxhits.htm?sig
PC-HELPERS list subscribe/unsub at http://pchelpers.5er.com?sig
Classified ad site
http://www.spunge.org/~johndurh/cgi-bin/classifieds.cgi?sig
Get your free site rotator http://www.ebizrotator.com/goto/JD706.htm
Prosper Mail http://www.prospermail.com/id/17841/free.cfm
Referralware http://www.referralware.com/home.jsp/101728230
Good advice is like good paint- it only works if applied.

Other related posts: