 |
|
 |
| Tuesday, September 07, 2010
|
| Register Login |
 |
|
|
|
|
Users currently online
|
 |
|
|
|
 |
Membership: |
 |
Latest:
SullyC |
 |
New Today:
0 |
 |
New Yesterday:
0 |
 |
Overall:
53 |
 |
People Online: |
 |
Visitors:
5 |
 |
Members:
0 |
 |
Total:
5 |
Online Now:
|
|
|
|
|
|
|
|
|
|
Welcome to the Viruswarning forums. All your original content has been ported to the new forums as well as new content and additional opportunities to interact with the authors of Viruswarn.com. You can always access old content at www.leedrake.com/forum . You may find some formatting was lost in the conversion and the older versions of the posts to be more readable....
But at least it's all here.
Enjoy!
|
|
|
|
|
|
Viruswarn Forums
|
|
|
|
|
| You are not authorized to post a reply.
|
|
| Author |
Messages |
|
Lee Drake
Posts:238
 |
| 05/20/2002 1:12 PM |
|
| There is a new mass mailer on the loose, known variously as "KLEZ", "KLEZ.H" and "KLEZ.MM".
What It Is
Like the nasty SirCam worm of last year, this one contains its own SMTP engine but it's a bit smarter; it uses the default SMTP gateway of the local machine, thus assuring that its messages will get out. This program is a mass mailer; harvesting addresses from the Windows Address Book. It will also harvest email addresses from outlook, outlook express, and other email programs. KLEZ has a number of forms, some of which are easier to purge from your system than others. The most virulent form can render a Windows 2000 machine unusable - you need to reformat and reinstall to get it back up and running. There are cleaners for the virus that work with varying degrees of success.
This virus is "Polymorphic" that is it spreads using shares on a person's computer, as well as using email infection. If you have a home network and one of your machines is infected, you should probably be sure to run the cleaner and scanner on ALL your machines.
The program uses past methods of stealing snippets of text from items on your hard drive for the body of the message, thus both making the message look more authentic, as well as possibly revealing private data. It also attaches itself to existing documents on your hard drive as the body, changing the extension to a .PIF extension. The subject changes each time a message is sent out - and the spelling appears to be correct in most of the subject headers. On machines without an up to date version of Microsoft Internet Explorer it will attempt to run itself from the preview window, without the user having to do anything.
This virus can spoof the return address of the email so that it looks like it's coming from a different machine than the one it's sending from. It will use return addresses from the address book as the "from" address, making tracking it back to it's source more difficult. If you get a copy of KLEZ just hitting return to send a mail back to the person probably won't send it to the original virus sender. Careful examination of the headers may reveal who the actual sender is. The virus might also configure itself to look like a "bounced message"
If the virus runs, it may be able to shut down your anti-virus software (turn off scanning). If you're booting up and don't see your normal scanner icon in the systray you may be infected.
I know at least one of you out there has this virus as I've gotten one addressed to viruswarning-owner@azcomputer.net :)
How Can I Protect Myself?
As always, it is best to avoid opening suspicious or unexpected attachments from any source. The Outlook 2000 Security Patch which is available separately and is a part of Service Release 2 automatically blocks PIF files such as this worm by default. Up to date virus signatures should also detect this worm as it attempts to do it's work. Using Windows Update to update your IE to version 5.5 or 6.0 with the latest critical updates will reduce your risk as well. Set your security settings to RESTRICTED zone in both Outlook and Outlook Express to avoid having code run in your outlook window. Finally using a virus scanning software that scans your emails as they come in and as they're sent out will also help ensure you're at lowest risk for this type of virus.
McAfee
McAfee VirusScan detects the worm as New Virus when scanning with older than 4182 DATs (or newer) with Program Heuristics enabled and by name with the 4182 DATs, which were released this morning and can be retrieved by AutoUpdate or manually from http://www.mcafeeb2b.com/naicommon/download/dats/mcafee_4x.asp.
Mcafee info can be found at: http://vil.nai.com/vil/content/v_99455.htm
Of the two methods, AutoUpdate is preferred, as it is much easier to use and can be completely automated. AutoUpdate is a predefined task in the VirusScan Console. To activate it, do the following:
1) Locate the VirusScan Console on your task bar. It will be located at the far right end near the clock.
2) Right click the icon and choose Restore from the context menu.
3) To run the AutoUpdate now, double-click the AutoUpdate task, or simply click it and choose Start Task from the Task menu.
4) To schedule AutoUpdate, highlight the task, click Properties on the Task menu, then click the Schedule tab on the dialog that displays.
5) Click the Enable check box, then select your schedule, then click the Apply button to put them into effect.
Norton
The easiest way to update your virus definitions is to run LiveUpdate. LiveUpdate is located in your Control Panel; double-click the icon and follow the instructions. According to the Symantec article at http://www.sarc.com/avcenter/venc/data/w32.klez.h@mm.html, the virus definitions on the LiveUpdate servers incorporate information about this worm.
If You Run Windows ME, Read This
Microsoft Windows ME includes a system restore feature that can interfere with complete eradication of worms such as this one that arrive as program files. Please visit http://vil.nai.com/vil/content/v_99386.htm and scroll down to the topic Additional Windows ME Info for step by step instructions.
Other Issues
You can obtain the Microsoft patch that addresses the vulnerability that this virus exploits at:
http://windowsupdate.microsoft.com
OR
http://www.microsoft.com/windows/ie/download/critical/Q290108/default.asp
If you already have this virus, some variants clean fairly easily, others replace key systems components and cannot be easily cleaned. You can get a removal tool here:
http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.removal.tool.html
Some folks have had better luck with AVP's removal tool here:
ftp://ftp.kaspersky.ru/utils/clrav.com
McAfee doesn't provide a cleaning tool, but they do provide instructions:
http://vil.mcafee.com/dispVirus.asp?virus_k=99455#removal_instructions
This concludes this VirusWarning notice.
Lee Drake, Moderator |
|
|
|
|
Lee Drake
Posts:238
|
| 05/20/2002 1:12 PM |
|
| KLEZ Update....
According to our latest reports the newest variant of KLEZ not only does all the things detailed in the last statement, but also infects machines with the ELKERN virus, a virus which destroys system files, making your system unusable and unbootable. ELKERN only activates after a few days of having the KLEZ infection (in most cases) but when it does activate it will probably trash your computer - forcing a reformat and reinstall to recover it.
We strongly advise getting the latest virus signatures and internet explorer updates, and aggressively scanning your system to prevent the spread of this virus on both your home and work machine. I continue to get 2-3 copies of this virus per day - it's highly active, and the NIPC has issued a warning regarding it (http://www.nipc.gov/warnings/alerts/2002/02-002.htm).
Lee Drake, Moderator |
|
|
|
|
|
| You are not authorized to post a reply. |
|
|
|
ActiveForums 3.6
|
|
|
|
|
|
|
|