Our apologies this should have gone out yesterday but due to another project taking a fair amount of our time it was overlooked. This should not have happened. We apologize for any inconveniences/problems that may have been caused by this delay. Christy ~~~ W32.Klez.H@mm Discovered: April 19/2002 Reference urls: http://www.symantec.com/avcenter/venc/data/w32.klez. h@xxxxxxx http://vil.nai.com/vil/content/v_99455.htm http://www.commandcom.com/virus/klez.html http://www.Europe.f-secure.com/v-descs/klez_h.shtml http://www.ravantivirus.com/virus/showvirus.php?v=98 Technical information borrowed from Symantec: When this worm is executed, it does the following: It copies itself to \%System%\Wink<random characters>.exe. NOTE: %System% is a variable. The worm locates the Windows System folder (by default this is C:\Windows\System or C:\Winnt\System32) and copies itself to that location. It adds the value Wink<random characters> %System%\Wink<random characters>.exe to the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curren tVersion\Run or it creates the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services \Wink[random characters] and inserts a value in that subkey so that the worm is executed when you start Windows. The worm attempts to disable on-access virus scanners and some previously distributed worms (such as W32.Nimda and CodeRed) by stopping any active processes. The worm removes the startup registry keys used by antivirus products and deletes checksum database files including: Anti-Vir.dat Chklist.dat Chklist.ms Chklist.cps Chklist.tav Ivb.ntz Smartchk.ms Smartchk.cps Avgqt.dat Aguard.dat Local and Network Drive copying: The worm copies itself to local, mapped, and network drives as: A random file name that has a double extension. For example, Filename.txt.exe. A .rar archive that has a double extension. For example, Filename.txt.rar. Email: This worm searches the Windows address book, the ICQ database, and local files for email addresses. The worm sends an email message to these addresses with itself as an attachment. The worm contains its own SMTP engine and attempts to guess at available SMTP servers. The subject line, message bodies, and attachment file names are random. The From address is randomly-chosen from email addresses that the worm finds on the infected computer. The worm will search files that have the following extensions for email addresses: mp8 .exe .scr .pif .bat .txt .htm .html .wab .asp .doc .rtf .xls .jpg .cpp .pas .mpg .mpeg .bak .mp3 .pdf In addition to the worm attachment, the worm also may attach a random file from the computer. The file will have one of the following extensions: mp8 .txt .htm .html .wab .asp .doc .rtf .xls .jpg .cpp .pas .mpg .mpeg .bak .mp3 .pdf As a result, the email message would have 2 attachments, the first being the worm and the second being the randomly-selected file. The email message that this worms sends is composed of "random" strings. The subject can be one of the following: Undeliverable mail--"[Random word]" Returned mail--"[Random word]" a [Random word] [Random word] game a [Random word] [Random word] tool a [Random word] [Random word] website a [Random word] [Random word] patch [Random word] removal tools how are you let's be friends darling so cool a flash,enjoy it your password honey some questions please try again welcome to my hometown the Garden of Eden introduction on ADSL meeting notice questionnaire congratulations sos! japanese girl VS playboy look,my beautiful girl friend eager to see you spice girls' vocal concert japanese lass' sexy pictures The random word will be one of the following: new funny nice humour excite good powful WinXP IE 6.0 W32.Elkern W32.Klez.E Symantec Mcafee F-Secure Sophos Trendmicro Kaspersky The body of the email message is random. If the message is opened in an unpatched version of Microsoft Outlook or Outlook Express, the attachment may be automatically executed. Information about this vulnerability and a patch are available at http://www.microsoft.com/technet/security/bulletin/M S01-020.asp Virus Insertion: This worm inserts the virus W32.Elkern.4926 as a file with a random name in the \%Program Files% folder and executes it. NOTE: %Program Files% is a variable. The worm locates the \Program Files folder (by default this is C:\Program Files and copies the virus to that location. Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices": Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP client, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates. If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied. Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services. Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised. Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files. Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media. Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched. Removal using the removal tool Symantec Security Response has developed a tool to remove both W32.Klez.H@mm and W32.Klez.E@mm. available at http://securityresponse.symantec.com/avcenter/venc/d ata/w32.klez.removal.tool.html This is the easiest way to remove these threats and should be tried first. Manual removal procedure for Windows 95/98/Me If W32.Klez.H@mm has activated, in most cases you will not be able to start your AntiVirus. Once this worm has executed, it can be difficult and time consuming to remove. The procedure that you must use to do this varies with the operating system. Please read and follow all instructions for your operating system. Follow the instructions in the order shown. Do not skip any steps. This procedure has been tested and will work in most cases. NOTE: Due to the damage that can be done by this worm, and depending on how many times the worm has executed, the process may not work in all cases. If it does not, you may need to obtain the services of a computer consultant. 1. Download virus definitions Manually Download the definitions for your antivirus program as you will not be able to run the program to obtain the most recent update file(s). Save the file(s) to the Windows desktop. This is a necessary first step to make sure that you have current definitions available later in the removal process. 2. Restart the computer in Safe mode 1. Shut down the computer and turn off the power. Wait thirty seconds. Do not skip this step. 2. Restart the computer in Safe mode. For instructions, read the document How to restart Windows 9x or Windows Me in Safe mode. 3. Edit the registry You must edit the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curren t Version\Run and remove the wink???.exe value after you write down the exact name of the wink file. CAUTION: We strongly recommend that you back up the system registry before you make any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure that you modify only the keys that are specified. Please see the document How to back up the Windows registry before you proceed. 1. Click Start, and click Run. The Run dialog box appears. 2. Type regedit and then click OK. The Registry Editor opens. 3. Navigate to the following key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\C urrentVersion\Run 4. In the right pane, look for the following values: Wink[random characters] %System%\Wink[random characters].exe WQK %System%\Wqk.exe 5. Write down the exact file name of the Wink[random characters].exe file 6. Delete the Wink[random characters] value and the WQK value (if it exists). 7. Navigate to and expand the following key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Ser vices 8. In the left pane, under the \Services key, look for the following subkey, and delete it, if it exists: \Wink[random characters] NOTE: This probably will not exist on Windows 95/98/Me-based computers, but you should check for it anyway. 9. Click Registry, and click Exit. 4. Delete the actual Wink[random characters] file Using Windows Explorer, open the C:\Windows\System folder and locate the Wink[random characters].exe file.(Depending on your system settings, the .exe extension may not be displayed.) NOTE: If you have Windows installed to a location other than C:\Windows, make the appropriate substitution. 5. Empty the recycle bin Right-click the Recycle bin on the Windows desktop, and click Empty Recycle Bin. 6. Update your antivirus product from the files previously downloaded in step 1. Click Yes or OK if prompted. Refer to your antivirus help files for information. 7. Restart the computer Shut down the computer, and turn off the power. Wait 30 seconds, and then restart it. Allow it to start normally. If any files are detected as infected, Quarantine them. Some of the files that you may find are Luall.exe, Rescue32.exe, and Nmain.exe. 8. Run a Complete system scan with your antivirus program. If the program has difficulites running, Consider reinstalling the application and applying available updates to remove the leftover files. 9. Restart the computer Allow it to start normally. Manual removal procedure for Windows 2000/XP 1. Download virus definitions Manually Download the definitions for your antivirus program as you will not be able to run the program to obtain the most recent update file(s). Save the file(s) to the Windows desktop. This is a necessary first step to make sure that you have current definitions available later in the removal process. 2. Restart the computer in Safe mode 1. Shut down the computer and turn off the power. Wait thirty seconds. Do not skip this step. 2. You must do this as the first step. All Windows 32-bit operating systems except Windows NT can be restarted in Safe mode. Read the document for your operating system. How to start Windows XP in Safe mode How to start Windows 2000 in Safe mode 3. Edit the registry You must edit the key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services and remove the wink[random characters].exe subkey after you write down the exact name of the wink file. CAUTION: We strongly recommend that you back up the system registry before you make any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure that you modify only the keys that are specified. Please see the document How to back up the Windows registry before you proceed. 1. Click Start, and click Run. The Run dialog box appears. 2. Type regedit and then click OK. The Registry Editor opens. 3. Navigate to the following key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Ser vices 4. In the left pane, under the \Services key, look for the following subkey: \Wink[random characters] 5. Write down the exact file name of the Wink[random characters].exe file 6. Delete the Wink[random characters] subkey. 7. Navigate to the following key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\C urrentVersion\Run 8. In the right pane, look for the following values, and delete them if they exist: Wink[random characters] %System%\Wink[random characters].exe WQK %System%\Wqk.exe NOTE: They probably will not exist on Windows 2000/XP-based computers, but you should check for them anyway. 9. Click Registry, and click Exit. 4. Configure Windows to show all files Do not skip this step. 1. Start Windows Explorer. 2. Click the Tools menu, and click "Folder options." 3. Click the View tab. 4. Uncheck "Hide file extensions for known file types." 5. Uncheck "Hide protected operating system files," and under the "Hidden files" folder, click "Show hidden files and folders." 6. Click Apply, and then click OK. 5. Delete the actual Wink[random characters] file Using Windows Explorer, open the C:\Winnt\System folder and locate the Wink[random characters].exe file. (Depending on your system settings, the .exe extension may not be displayed.) NOTE: If you have Windows installed to a location other than C:\Windows, make the appropriate substitution. 5. Empty the recycle bin Right-click the Recycle bin on the Windows desktop, and click Empty Recycle Bin. 6. Update your antivirus product from the files previously downloaded in step 1. Click Yes or OK if prompted. Refer to your antivirus help files for information. 7. Reinstall your antivirus program with applicable updates. NOTE: If you are using NAV 2002 on Windows XP, this may not be possible on all systems. You can, however, try the following: Open the Control Panel, double-click Administrative Tools, and then double-click Services. In the list, select Windows Installer. Click Action and then click Start. 8. Restart the computer and scan again Shut down the computer, and turn off the power. Wait 30 seconds and then restart it. CAUTION: This step is very important. Reinfection will occur if this is not followed. Allow it to start normally. If any files are detected as infected, quarantine them. Some of the files that you may find are Luall.exe, Rescue32.exe, and Nmain.exe. ~~~~~ ~*~*~*~*~ To unsubscribe from our list send an email to hackfix-virusnews-request@xxxxxxxxxxxxx?Subject=unsubscribe. For a complete list of email commands for our list send an email to ecartis@xxxxxxxxxxxxx with a subject line of "info hackfix-virusnews" without the quotes. ~*~*~*~*~