hackfix-virusnews: Virus Warning ~ Klez.H (variant)
- From: "Christy" <snowz@xxxxxxxxxx>
- To: hackfix-virusnews@xxxxxxxxxxxxxxx
- Date: Sun, 21 Apr 2002 07:43:48 -0400
Our apologies this should have gone out yesterday
but due to another project taking a fair amount of
our time it was overlooked. This should not have
happened. We apologize for any
inconveniences/problems that may have been caused
by this delay.
Christy
~~~
W32.Klez.H@mm
Discovered: April 19/2002
Reference urls:
http://www.symantec.com/avcenter/venc/data/w32.klez.
h@xxxxxxx
http://vil.nai.com/vil/content/v_99455.htm
http://www.commandcom.com/virus/klez.html
http://www.Europe.f-secure.com/v-descs/klez_h.shtml
http://www.ravantivirus.com/virus/showvirus.php?v=98
Technical information borrowed from Symantec:
When this worm is executed, it does the following:
It copies itself to \%System%\Wink<random
characters>.exe.
NOTE: %System% is a variable. The worm locates the
Windows System folder (by default this is
C:\Windows\System or C:\Winnt\System32) and copies
itself to that location.
It adds the value
Wink<random characters> %System%\Wink<random
characters>.exe
to the registry key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curren
tVersion\Run
or it creates the registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
\Wink[random characters]
and inserts a value in that subkey so that the worm
is executed when you start Windows.
The worm attempts to disable on-access virus
scanners and some previously distributed worms
(such as W32.Nimda and CodeRed) by stopping any
active processes. The worm removes the startup
registry keys used by antivirus products and
deletes checksum database files including:
Anti-Vir.dat
Chklist.dat
Chklist.ms
Chklist.cps
Chklist.tav
Ivb.ntz
Smartchk.ms
Smartchk.cps
Avgqt.dat
Aguard.dat
Local and Network Drive copying:
The worm copies itself to local, mapped, and
network drives as:
A random file name that has a double
extension. For example, Filename.txt.exe.
A .rar archive that has a double extension.
For example, Filename.txt.rar.
Email:
This worm searches the Windows address book, the
ICQ database, and local files for email addresses.
The worm sends an email message to these addresses
with itself as an attachment. The worm contains its
own SMTP engine and attempts to guess at available
SMTP servers.
The subject line, message bodies, and attachment
file names are random. The From address is
randomly-chosen from email addresses that the worm
finds on the infected computer.
The worm will search files that have the following
extensions for email addresses:
mp8
.exe
.scr
.pif
.bat
.txt
.htm
.html
.wab
.asp
.doc
.rtf
.xls
.jpg
.cpp
.pas
.mpg
.mpeg
.bak
.mp3
.pdf
In addition to the worm attachment, the worm also
may attach a random file from the computer. The
file will have one of the following extensions:
mp8
.txt
.htm
.html
.wab
.asp
.doc
.rtf
.xls
.jpg
.cpp
.pas
.mpg
.mpeg
.bak
.mp3
.pdf
As a result, the email message would have 2
attachments, the first being the worm and the
second being the randomly-selected file.
The email message that this worms sends is composed
of "random" strings. The subject can be one of the
following:
Undeliverable mail--"[Random word]"
Returned mail--"[Random word]"
a [Random word] [Random word] game
a [Random word] [Random word] tool
a [Random word] [Random word] website
a [Random word] [Random word] patch
[Random word] removal tools
how are you
let's be friends
darling
so cool a flash,enjoy it
your password
honey
some questions
please try again
welcome to my hometown
the Garden of Eden
introduction on ADSL
meeting notice
questionnaire
congratulations
sos!
japanese girl VS playboy
look,my beautiful girl friend
eager to see you
spice girls' vocal concert
japanese lass' sexy pictures
The random word will be one of the following:
new
funny
nice
humour
excite
good
powful
WinXP
IE 6.0
W32.Elkern
W32.Klez.E
Symantec
Mcafee
F-Secure
Sophos
Trendmicro
Kaspersky
The body of the email message is random.
If the message is opened in an unpatched version of
Microsoft Outlook or Outlook Express, the
attachment may be automatically executed.
Information about this vulnerability and a patch
are available at
http://www.microsoft.com/technet/security/bulletin/M
S01-020.asp
Virus Insertion:
This worm inserts the virus W32.Elkern.4926 as a
file with a random name in the \%Program Files%
folder and executes it.
NOTE: %Program Files% is a variable. The worm
locates the \Program Files folder (by default this
is C:\Program Files and copies the virus to that
location.
Symantec Security Response encourages all users and
administrators to adhere to the following basic
security "best practices":
Turn off and remove unneeded services. By default,
many operating systems install auxiliary services
that are not critical, such as an FTP client,
telnet, and a Web server. These services are
avenues of attack. If they are removed, blended
threats have less avenues of attack and you have
fewer services to maintain through patch updates.
If a blended threat exploits one or more network
services, disable, or block access to, those
services until a patch is applied.
Always keep your patch levels up-to-date,
especially on computers that host public services
and are accessible through the firewall, such as
HTTP, FTP, mail, and DNS services. Enforce a
password policy. Complex passwords make it
difficult to crack password files on compromised
computers. This helps to prevent or limit damage
when a computer is compromised.
Configure your email server to block or remove
email that contains file attachments that are
commonly used to spread viruses, such as .vbs,
.bat, .exe, .pif and .scr files. Isolate infected
computers quickly to prevent further compromising
your organization. Perform a forensic analysis and
restore the computers using trusted media.
Train employees not to open attachments unless they
are expecting them. Also, do not execute software
that is downloaded from the Internet unless it has
been scanned for viruses. Simply visiting a
compromised Web site can cause infection if certain
browser vulnerabilities are not patched.
Removal using the removal tool
Symantec Security Response has developed a tool to
remove both W32.Klez.H@mm and W32.Klez.E@mm.
available at
http://securityresponse.symantec.com/avcenter/venc/d
ata/w32.klez.removal.tool.html
This is the easiest way to remove these threats and
should be tried first.
Manual removal procedure for Windows 95/98/Me
If W32.Klez.H@mm has activated, in most cases you
will not be able to start your AntiVirus. Once this
worm has executed, it can be difficult and time
consuming to remove. The procedure that you must
use to do this varies with the operating system.
Please read and follow all instructions for your
operating system.
Follow the instructions in the order shown. Do not
skip any steps. This procedure has been tested and
will work in most cases.
NOTE: Due to the damage that can be done by this
worm, and depending on how many times the worm has
executed, the process may not work in all cases. If
it does not, you may need to obtain the services of
a computer consultant.
1. Download virus definitions
Manually Download the definitions for your
antivirus program as you will not be able to run
the program to obtain the most recent update
file(s). Save the file(s) to the Windows desktop.
This is a necessary first step
to make sure that you have current definitions
available later in the removal process.
2. Restart the computer in Safe mode
1. Shut down the computer and turn off
the power. Wait thirty seconds. Do not skip this
step.
2. Restart the computer in Safe mode. For
instructions, read the document How to restart
Windows 9x or Windows Me in Safe mode.
3. Edit the registry
You must edit the key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curren
t Version\Run and
remove the wink???.exe value after you write down
the exact name of the wink file.
CAUTION: We strongly recommend that you back up the
system registry before you make any changes.
Incorrect changes to the registry could result in
permanent data loss or corrupted files. Please make
sure that you modify only the keys that are
specified. Please see the document How to back up
the Windows registry before you proceed.
1. Click Start, and click Run. The Run dialog
box appears.
2. Type regedit and then click OK. The
Registry Editor opens.
3. Navigate to the following key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\C
urrentVersion\Run
4. In the right pane, look for the following
values:
Wink[random characters] %System%\Wink[random
characters].exe
WQK %System%\Wqk.exe
5. Write down the exact file name of the
Wink[random characters].exe file
6. Delete the Wink[random characters] value
and the WQK value (if it exists).
7. Navigate to and expand the following key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Ser
vices
8. In the left pane, under the \Services key,
look for the following subkey, and delete it, if it
exists:
\Wink[random characters]
NOTE: This probably will not exist on Windows
95/98/Me-based computers, but you should check for
it anyway.
9. Click Registry, and click Exit.
4. Delete the actual Wink[random characters] file
Using Windows Explorer, open the C:\Windows\System
folder and locate the Wink[random characters].exe
file.(Depending on your system settings, the .exe
extension may not be displayed.)
NOTE: If you have Windows installed to a location
other than C:\Windows, make the appropriate
substitution.
5. Empty the recycle bin
Right-click the Recycle bin on the Windows desktop,
and click Empty Recycle Bin.
6. Update your antivirus product from the files
previously downloaded in step 1. Click Yes or OK if
prompted. Refer to your antivirus help files for
information.
7. Restart the computer
Shut down the computer, and turn off the power.
Wait 30 seconds, and then restart it. Allow it to
start normally. If any files are detected as
infected, Quarantine them. Some of the files that
you may find are Luall.exe, Rescue32.exe, and
Nmain.exe.
8. Run a Complete system scan with your antivirus
program. If the program has difficulites running,
Consider reinstalling the application and applying
available updates to remove the leftover files.
9. Restart the computer
Allow it to start normally.
Manual removal procedure for Windows 2000/XP
1. Download virus definitions
Manually Download the definitions for your
antivirus program as you will not be able to run
the program to obtain the most recent update
file(s). Save the file(s) to the Windows desktop.
This is a necessary first step
to make sure that you have current definitions
available later in the removal process.
2. Restart the computer in Safe mode
1. Shut down the computer and turn off
the power. Wait thirty seconds. Do not skip this
step.
2. You must do this as the first step.
All Windows 32-bit operating systems except Windows
NT can be restarted in Safe mode. Read the document
for your operating system.
How to start Windows XP in Safe mode
How to start Windows 2000 in Safe
mode
3. Edit the registry
You must edit the key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
and remove the
wink[random characters].exe subkey after you write
down the exact name of the wink file.
CAUTION: We strongly recommend that you back up the
system registry before you make any changes.
Incorrect changes to the registry could result in
permanent data loss or corrupted files. Please make
sure that you modify only the keys that are
specified. Please see the document How to back up
the Windows registry before you proceed.
1. Click Start, and click Run. The Run dialog
box appears.
2. Type regedit and then click OK. The
Registry Editor opens.
3. Navigate to the following key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Ser
vices
4. In the left pane, under the \Services key,
look for the following subkey:
\Wink[random characters]
5. Write down the exact file name of the
Wink[random characters].exe file
6. Delete the Wink[random characters] subkey.
7. Navigate to the following key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\C
urrentVersion\Run
8. In the right pane, look for the following
values, and delete them if they exist:
Wink[random characters] %System%\Wink[random
characters].exe
WQK %System%\Wqk.exe
NOTE: They probably will not exist on Windows
2000/XP-based computers, but you should check for
them anyway.
9. Click Registry, and click Exit.
4. Configure Windows to show all files
Do not skip this step.
1. Start Windows Explorer.
2. Click the Tools menu, and click "Folder
options."
3. Click the View tab.
4. Uncheck "Hide file extensions for known
file types."
5. Uncheck "Hide protected operating system
files," and under the "Hidden files" folder, click
"Show hidden files and folders."
6. Click Apply, and then click OK.
5. Delete the actual Wink[random characters] file
Using Windows Explorer, open the C:\Winnt\System
folder and locate the Wink[random characters].exe
file. (Depending on your system settings, the .exe
extension may not be displayed.)
NOTE: If you have Windows installed to a location
other than C:\Windows, make the appropriate
substitution.
5. Empty the recycle bin
Right-click the Recycle bin on the Windows desktop,
and click Empty Recycle Bin.
6. Update your antivirus product from the files
previously downloaded in step 1. Click Yes or OK if
prompted. Refer to your antivirus help files for
information.
7. Reinstall your antivirus program with applicable
updates.
NOTE: If you are using NAV 2002 on Windows XP, this
may not be possible on all systems. You can,
however, try the following: Open the Control Panel,
double-click Administrative Tools, and then
double-click Services. In the list, select Windows
Installer. Click Action and then click Start.
8. Restart the computer and scan again
Shut down the computer, and turn off the power.
Wait 30 seconds and then restart it.
CAUTION: This step is very important. Reinfection
will occur if this is not followed.
Allow it to start normally. If any files are
detected as infected, quarantine them. Some of the
files that you may find are Luall.exe,
Rescue32.exe, and Nmain.exe.
~~~~~
~*~*~*~*~
To unsubscribe from our list send an email
to hackfix-virusnews-request@xxxxxxxxxxxxx?Subject=unsubscribe.
For a complete list of email commands for our list send
an email to ecartis@xxxxxxxxxxxxx with a subject line of
"info hackfix-virusnews" without the quotes.
~*~*~*~*~
Other related posts:
- » hackfix-virusnews: Virus Warning ~ Klez.H (variant)
