posted 05-23-2003 09:15 AM         

Since I joind this board, I have gotten some crazy messages from members with the "Klez virus" attached. This is a virus that goes into your email address book, and SELF GENERATES email to others and makes it look like someone else sent it. This is a very vicious virus, and ALL of you should download an anti-virus software program, since this virus is very destructive and self-perpetuating. Home computers are much more vulnerable since there are less firewalls...
Below is some info to help you....I strongly suggest you look into it if you have been getting wierd emails and God forbid if you had opened the attachments!
Any of you using MS Explorer have a vulnerability that is exploited by this virus. If you EVER got any funny emails with shady attachments......even from people you know, you may have the virus. It is a vicious virus that infects your email and sends itself to people in your address book without your knowledge. I got a virus protection package from www.Mcafee.com that killed it....But I had to manually disable the virus through a series of emailed instructions because the virus actually prevents anti-virus software from being loaded!

There are also free patches for Explorer at www.msn.com to close the virus loophole.

If any of you got wierd emails, this may help explain.....

I hope this helped awareness of this virus.....it is nasty!

-Joe

Virus Profile

Virus Name: Risk Assessment:
W32/Klez.h@MM Medium

Virus Information:
Date Discovered: 4/17/2002
Date Added: 4/17/2002
Origin: Unknown
Length: approx 90kB
Type: Internet Worm
SubType: Win32
DAT Required: 4182

Quick Links:
Virus Characteristics
Indications of Infection
Method of Infection
Removal Instructions
Aliases
Send Virus Info via Email

Update VirusScan
Online

Download the latest
DAT files

Virus Characteristics:

--- Update 4/30/2002 ---
This virus remains at a Medium Risk overall, however AVERT is still seeing many infections reported from Home Users and is informing Home Users that they are STILL at a HIGHER likelyhood of infection than corporate users.
HOME USERS SHOULD UPDATE THEIR DATS AS SOON AS POSSIBLE TO PREVENT INFECTION

--- Update 4/18/2002 ---
AVERT has raised the risk assessment of this threat to Medium after seeing an increase in prevalence over the past 24 hours. Home users are at a greater risk of infection, as they tend to update their DATs less frequently then corporations. As such, the risk of becoming infected in a corporate environment is lower.

This latest W32/Klez variant is already detected as W32/Klez.gen@MM by McAfee products using the 4182 DATs (23 January 2002) or greater.

W32/Klez.h@MM has a number of similarities to previous W32/Klez variants, for example:

W32/Klez.h@MM makes use of Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability in Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2).
the worm has the ability to spoof the From: field (often set to an address found on the victim machine).
the worm attempts to unload several processes (antivirus programs) from memory. Including those containing the following strings:
_AVP32
_AVPCC
NOD32
NPSSVC
NRESQ32
NSCHED32
NSCHEDNT
NSPLUGIN
NAV
NAVAPSVC
NAVAPW32
NAVLU32
NAVRUNR
NAVW32
_AVPM
ALERTSVC
AMON
AVP32
AVPCC
AVPM
N32SCANW
NAVWNT
ANTIVIR
AVPUPD
AVGCTRL
AVWIN95
SCAN32
VSHWIN32
F-STOPW
F-PROT95
ACKWIN32
VETTRAY
VET95
SWEEP95
PCCWIN98
IOMON98
AVPTC
AVE32
AVCONSOL
FP-WIN
DVP95
F-AGNT95
CLAW95
NVC95
SCAN
VIRUS
LOCKDOWN2000
Norton
Mcafee
Antivir
The worm is able to propagate over the network by copying itself to network shares (assuming sufficient permissions exist). Target filenames are chosen randomly, and can have single or double file extensions. For example:
350.bak.scr
bootlog.jpg
user.xls.exe

The worm may also copy itself into RAR archives, for example:
HREF.mpeg.rar
HREF.txt.rar
lmbtt.pas.rar

The worm mails itself to email addresses in the Windows Address Book, plus addresses extracted from files on the victim machine. It arrives in an email message whose subject and body is composed from a pool of strings carried within the virus (the virus can also add other strings obtained from the local machine). For example:

Subject: A very funny website
or Subject: Undeliverable mail--
or Subject: Returned mail--
or Subject: A WinXP patch
or Subject: A IE 6.0 patch
or Subject: W32.Elkern removal tools
or Subject: W32.Klez.E removal tools

The file attachment name is again generated randomly, and ends with a .exe, .scr, .pif, or .bat extension, for example:
ALIGN.pif
User.bat
line.bat

Thanks to the use of the exploit described above, simply opening or previewing the message in a vulnerable mail client can result in infection of the victim machine.

W32/Klez.h@MM masquerades as a free immunity tool in at least one of the messages used. Below is the message sent by the virus itself.

Subject: Worm Klez.E Immunity
Body: Klez.E is the most common world-wide spreading worm. It's very dangerous by corrupting your files. Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it.We developed this free immunity tool to defeat the malicious virus. You only need to run this tool once,and then Klez will never come into your PC.

NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV monitor maybe cry when you run it. If so,Ignore the warning,and select 'continue'. If you have any question,please mail to me.

The worm may send a clean document in addition to an infected file. A document found on the hard disk, that contains one of the following extensions, is sent:

.txt
.htm
.html
.wab
.asp
.doc
.rtf
.xls
.jpg
.cpp
.c
.pas
.mpg
.mpeg
.bak
.mp3
.pdf
This payload can result in confidental information being sent to others.

Indications Of Infection:

Randomly/oddly named files on network shares, as described above.
Reference to a WINKxxx.EXE file ("xxx" looks random) in a Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Method Of Infection:

This virus can be considered a blended threat. It mass-mails itself to email addresses found on the local system, exploits a Microsoft vulnerability, spreads via network shares, infects executables on the local system, and drops an additional file infecting virus, W32/Elkern.cav.c.

Removal Instructions:

Use current engine and DAT files for detection.
Once infected, VirusScan may not be able to run as the virus can terminate the process before any scanning/removal is accomplished. The following steps will circumvent this action and allow for proper VirusScan scanning/removal, by using the command-line scanner.

Ensure that you are using the minimum DAT specified or higher.
Close all running applications
Disconnect the system from the network
Go to a command prompt, then change to the VirusScan engine directory:
Win9x/ME - Click START | RUN, type command and hit ENTER.
Type cd \progra~1\common~1\networ~1\viruss~1\40~1.xx and hit ENTER
WinNT/2K/XP - Click START | RUN, type cmd and hit ENTER.
Type cd \progra~1\common~1\networ~1\viruss~1\4.0.xx and hit ENTER
Rename SCAN.EXE to CLEAN.EXE to prevent the virus from terminating the process and deleting files. Type, ren scan.exe clean.exe and hit ENTER
First, scan the system directory
Win9x/ME - Type clean.exe %windir%\system\win*.exe and hit ENTER
WinNT/2K/XP - Type clean.exe %windir%\system32\win*.exe and hit ENTER
Once the scan has completed, Type clean.exe /adl /clean and hit ENTER
Rename scan.exe. Type, ren clean.exe scan.exe and hit ENTER
After scanning and removal is complete, reboot the system
Apply Internet Explorer patch if necessary.

Klez can delete anti-virus software files. It may be necessary to reinstall VirusScan after cleaning a system.

Additional Windows ME/XP removal considerations

Aliases:

W32/Klez.G@mm (Norman), W32/Klez.gen@MM, W32/Klez.I (Panda), W32/Klez.K-mm, WORM_KLEZ.G (Trend)

quote:

---

Originally posted by Bcoffman Gray Ghost:
One question about the virus getting in my e-mail address book. I have Norton anti-virus 2002. I keep it up-dated every 2-3 days. I use Hot-mail exclusively. It uses McAfee virus scan on all attachments. Now my question. Would the KLEZ virus be able to get in my Hot-Mail address book. The address book isn't on my computer, (I think). It is on Hot-mail's server, isn't it?

---

It depends.

Hotmail has been around for quite a while but, Microsoft was using Outlook and you had to be a Microsoft customer to use Outlook. Problem was, you couldn't use or access it from anywhere other then the pc you installed it on and had your address book on.

Then Microsoft bought Hotmail and started migrating individual pc (is. MSN) accounts to it.

The good news is that if you cancel your MSN account and go with Roadrunner cable, you still have your hotmail (msn) account (ie. trey@msn.com vs. trey@hotmail.com ). You also have the restrictions (sizewise) of a free account versus a monthly paid one but, the point being, you still have the same email address for friends and such to send you emails.

Sorry for the history lesson but, the point is, that if you started out with an Outlook account and now have their hotmail account (msn account) you still have an address book locally.