posted 09-06-2002 04:27 PM                  

The following article is written in plain English and makes two important points:

1. The listed sender is not the sender.
2. Today is a trigger date.

+++++++++++++++++++++++++++++++++++++++ http://zdnet.com.com/2100-1105-956740.html

Klez set to return--but may backfire

By Robert Lemos
Special to ZDNet News
September 5, 2002, 11:33 AM PT

A minor variant of the Klez virus is set to go into action Friday, erasing a host of files on infected hard drives. But the attack may also wipe out the attacker.

The 8-month-old mass-mailing computer virus called Klez.E triggers its payload on the sixth day of March, May, September and November, erasing 14 different types of files, including Word documents and HTML files.
But the variant has all but disappeared from the Internet, said Vincent Gullotto, director of the antivirus emergency response team at security company Network Associates, and the year's two remaining payloads should call attention to the few computers still infected with Klez.E, allowing the pest to be exterminated.

The Klez.E variant runs a distant second to its far more prevalent Klez.H cousin, making up only 3 percent of the junk e-mail associated with the Klez virus. Klez.H accounts for the other 97 percent.
Data from e-mail services provider MessageLabs shows that in August, the company intercepted 580,000 e-mails carrying the prolific Klez.H variant but only 16,000 carrying Klez.E. On Thursday, the minor Klez variant was present in only 338 infected e-mails in the last 24 hours.
Klez.E arrives in e-mail and uses an old flaw in Microsoft Internet Explorer to execute automatically. On infected PCs, the computer virus activates a malicious payload and overwrites any file accessible to it--both local and on the network-- of the following types: .txt, .htm, .html, .wab, .doc, .xls, .jpg, .cpp, .c, .pas, .mpg, .mpeg, .bak and .mp3.
Klez.H doesn't overwrite files, but it may randomly choose a document from a victimized computer and attach it to the e-mails it sends out to spread itself. In addition, Klez.H spoofs the sender's address to make it look like a random person from the infected PC's address book is actually sending the virus-laden mail. This makes it harder to pinpoint an infected system and can lead to a muddle when people without the pest are told they have it.

+++++++++++++++++++++++++++++++++++++++++

posted 09-06-2002 05:39 PM                    

Delete Infected Files
The Klez Trojan activates a copy of the Elkern virus which has a highly destructive payload, infecting random .exe files. To clean all files, run a scan in DOS.

Boot into Safe Mode
1. Shut the computer down so the power is off.
2. Wait 20 seconds.
3. Turn on the computer and immediately press the F8 key on the keyboard repeatedly, once every second. Do this until the Windows Startup Menu appears. Note: If you get a keyboard error, press the F1 key to resume and continue pressing the F8 key once every second.
4. Select option #3 (Safe Mode) from the Windows Startup Menu.
5. Press the Enter key on the keyboard. Windows will boot into Safe Mode.
Note: This may take longer than a normal boot.
6. At the end of the boot process, a dialog box appears confirming that Windows is in Safe Mode. Click the 'OK' button.

Backup the Registry
1. From the taskbar, click Start > Run.
2. Type regedit and click OK.
3. The Registry Editor appears. From the toolbar at the top of window, click File > Export.
4. The Export Registry File dialog box appears. At the top, in the drop-down menu titled "Save in", select Desktop.
5. In the "File Name" field, type backup.
6. In the "Export range" section, select All.
7. Click Save.
Note: If you need to restore the registry, double-click on the backup file you created and follow the prompts. Once you have finished these instructions and verified everything is working properly, delete this backup file by right-clicking on it and clicking Delete. This ensures that the old registry is not accidentally restored.

Edit the Registry
1. From the taskbar, click Start > Run.
2. Type regedit and click OK.
3. The Registry Editor appears. Click the + next to each of the following:

• HKEY_LOCAL_MACHINE
• Software
• Microsoft
• Windows
• CurrentVersion
• Run
In the right pane, look for the following values:
Wink*** = "%System%\Wink*.exe"
WQK*** = "%System%\Wqk.exe"
Note: * = any random characters
4. Highlight any of these values if they exist and press the Delete key on your keyboard.
5. Now locate the following key if it exists:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
6. Highlight Services and from the right pane, highlight the sub key Wink***. Press the Delete key.
Note: * = any random characters
7. Repeat steps 5 and 6 for the following keys if they exist:
HKEY_LOCAL_MACHINE\System\CurrentControlSet001\Services
HKEY_LOCAL_MACHINE\System\CurrentControlSet002\Services
8. Close the Registry Editor.
Disable Startup Items (Win95/98/ME/XP Users)
1. From the taskbar, click Start > Run.
2. Type msconfig and click OK.
3. The System Configuration Utility appears.
4. Click the Startup tab.
5. In the list of startup programs, look for the following files:

• Wink***.exe
• WQK***.exe
• Note: * = any random characters
6. If found, write down the full name of the file and uncheck it to prevent it from starting automatically.
7. Click the 'Apply' button, then OK.
8. Restart your computer.
Disable System Restore (WinME/XP Users)
Windows ME and XP use a restore utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan Online will be unable to delete it. You must disable the System Restore utility to remove the infected files from the C:\_Restore folder.

Update or install VirusScan Online, restart the computer in Safe Mode and run a virus scan on the system. Delete any files infected with Klez.

posted 09-07-2002 08:22 AM                  

Here's the new ones from this morning:

viperdaytona Hello,steve,meeting notice
Sep 06 21:24 121k

omar_bowt Prowler Toons
Sep 07 03:50 152k

prowling
Sep 07 07:46 157k

I have erased these unread; if anyone really sent them, let me know (in a short message without attachments).

And, just for the #$^%&* of it, here's the one's I posted last time:

jkerner PLUGINSPAGE Aug 04 13:26 143k
jkerner <jkerner@stvpax.com>

only1cj Aug 04 18:06 137k
only1cj <only1cj@comcast.net>

DFAdmin Spice girls' vocal concert Aug 06 10:28 163k
DFAdmin <DFAdmin@prowleronline.com>

karns Cellspacing Aug 06 10:30 129k
karns <karns@mindspring.com>

mopardave Worm Klez.E immunity Aug 06 10:37 126k
mopardave <mopardave@aol.com>

lroussel A new website Aug 06 20:44 162k
lroussel <lroussel@attglobal.net>

regcom Cellpadding Aug 06 22:06 149k
regcom <regcom@yahoo.com>

cyr0 Cellpadding Aug 06 22:08 141k
cyr0 <cyr0@cstone.net>

albraga _____ Aug 07 09:29 172k
albraga <albraga@yahoo.com>

I have become very suspicious of anything in the 125K and up size - I don't believe that I ever received an Email below this size that contained a virus. Then again, Norton is now set for maximum scanning and catches them anyway.

posted 09-07-2002 09:51 AM                  

------------------
Larry & Sue Mayes

posted 09-07-2002 11:19 AM                    

I don't thing any one from POA sent you any virus. There are someone out there scan anyone E-Mail then attached a virus, they might scan and got your address then sent it to you by used other POA member address. Mike K and his staff shpould know about this. I belive POA site get hit over 100 times a day.

The best way to protect your E-Mail jut set up an extra two or three more your E-Mail address use one E-Mail for your friend and someone you know and other use it for registered your product online or contact other site included Yahoo, e-Bay and other wide open to the public.

posted 09-07-2002 06:10 PM                    

quote:

---

Originally posted by butchcee:
I wish everyone would check their puter for virus's. Most of my klenz junk seems to originate from a POA member. Give us a break!

---

It is very easy to spoof email and IP addresses.

Again, part of the trick with any email virus is to throw you off track and look in the WRONG direction.

Here is a scenario, Prowler member "A" sends a humorous email to 5-10 POA members and 5-10 other people, one of them forwards that to 4-5 friends, and so on. The person with the virus may even know what a Prowler is let alone be a member of the POA. The virus then captures the 300-400 email addresses from all the forwarding and viola'.
BTW-it also figures out who sent what and to whom so it makes it look like Prowler member "A" is sending you viruses.....

Make sense?

posted 09-07-2002 07:34 PM                  

So if anyone knows someone with a cv.net email address, that would be a good place to start.

posted 09-08-2002 07:36 AM                  

1) I don't use Outlook nor do I use any address books. Has anyone ever gotten a virus that supposedly came from me?

2) I received a virus that seemed to have come from POA itself (I know it didn't, it's just redirection). Here's the info:

DFAdmin Spice girls' vocal concert Aug 06 10:28 163k
DFAdmin <DFAdmin@prowleronline.com>

Would this originate from a POA address list, or a member's address list, or is the virus using the POA member list as a source of mailings?

You're now beyond my knowledge, I'm just trying to offer datapoints to others who may be able to do something with them.

posted 09-08-2002 10:19 AM                  

To help you along, consider this. I have been told that a virus email came from me, when in fact I was not infected. The reason - I was in the infected persons address book and the virus spoofed the email address to look like it came from me.

If you look at those headers I posted, on the surface it looks like they came from two different people, but if you look at the top, you will see the originator is the same on both emails. The virus on the infected persons computer went through their address book and sent emails spoofing the return address.

Hope that helps

posted 09-08-2002 04:09 PM                  

I can assure you that there is no virus on or in the POA server. Our server runs Linux, not Windows, is constantly updated with the latest patches and monitored for any suspicious activity including the mail server.

If you look at the headers in the Klez mailings, you can clearly see that they are being relayed off other computers and servers. The POA names are coming from infected members PC's address books.