Batboard

I have been getting many emails with attchments that norton doesn't like. The emails are "from" many of the members of this board. Just a suggestion that all should check their systems for a virus. If anyone has further info on this, please post. Thanx. D

I have gotten many of these same emails.

It's a nasty nasty virus, errr, worm called Klez. It's shredding all the files on my computer and it attacks your antivirus software. If you get an e-mail from someone with an attachment make sure you are absolutly sure it's something you want/asked for before you open it, it will most likely come from somebody you know as it reads an address book to send it. If you happen to catch the virus, good luck I've been trying to get rid of it for five days, and computers are my speciality. Cheers, -the computer geek in the group.

The thing is to NOT open ANY attachments if the message comes from a source you do not recognize.

The Klez worm also uses your name/email address in emails between people you've never heard of, and when the virus is recognized YOU get a message saying that YOU sent an email which contained a virus. Nice, huh?

Tom, W2NJS
...in D.C.

i keep getting it over and over from people i know and people i dont, and it seems to be sending out from my email also. Norton keeps catching it on the inbound though and quarantining it, but i still think i caught it. Norton has no current fix for it, any suggestions other than a sledge hammer to get rid of this virus?

I thankfully am nice and virus free - and I don't use any virus protection The beauty of being your own ISP, and havine access to PINE

What it probably does is go through you whole computer and send itself off with return addresses rom random people. So you don't know who it's coming from unless you break down the header information.

Norton is a very good product. The company who'se computer infrastructure I support uses it, and while it's sometimes expensive when it comes around to renew the 61 licenses, it has saved HOURS of work on our part.

-Alex

i GOT AN EMAIL TODAY FROM SOMEONE ON THIS BOARD ASKING FOR RSS. BUT NO SUBJECT IN THE SUBJECT AREA,,,HMMMM

I have been getting e-mails from various senders but ther is nothing in the message area, but judging from the time it takes to get the email from my server, it has someting my email/brouser will not display. But then again I do not do Windows 9x or the Me/XP crap.
I did just as a percaution I deleted my address book to.

Hi Guys

Here is some mo info on Mr Klez, Thanks to the CA web site,

I have cleaned klez of several pc only to be called in the next day coz they got it again. Make sure you delete it from your inbox so you dont run it again. also delete your deleted items.

anyway hers some more info on klez hope it helps
regards
JOHN




Win32.Klez.H is a mass mailing, network aware worm that spreads by using SMTP and through taking advantage of open network shares. In addition, it drops a polymorphic file infector virus into the Program Files directory.

The body of the message may be constructed from a list of phrases inside the virus. Each message contains HTML code which exploits the "Incorrect MIME Header" vulnerability in Internet Explorer, Outlook and Outlook Express. If successful, the e-mail attachment will be opened on viewing the message, without the user's knowledge.
For more information on this vulnerability, see:

http://www.microsoft.com/technet/securi ... 01-020.asp

The attachment names vary as they are randomly generated. The extension is randomly chosen from the following list:
.exe
.scr
.pif
.bat


Klez.H uses a variety of Subject lines that can include the following words and phrases:

how are you
let's be friends
darling
so cool a flash,enjoy it
your password
honey
some questions
please try again
welcome to my hometown
the Garden of Eden
introduction on ADSL
meeting notice
questionnaire
congratulations
sos!
japanese girl VS playboy
look,my beautiful girl friend
eager to see you
spice girls' vocal concert
japanese lass' sexy pictures
Detected
Hi,
Hello,
Re:
Fw:
Undeliverable mail--"*****"
Returned mail—“*****"
a ***** ***** game
a ***** ***** tool
a ***** ***** website
a ***** ***** patch
***** removal tools


The Subject line may also include the name of the recipient.

The message body can be randomly constructed or in some cases left empty. The following is a sample list that contains words and phrases that may be used to construct the message body. The worm may also use the words and phrases listed above for Subject construction:

The following mail can't be sent to *****:
The attachment
The file
is the original mail
give you the *****
is a ***** dangerous virus that *****
can infect on Win98/Me/2000/XP.
spread through email.
very
special
http://
www.
.com
For more information,please visit
This is
This game is my first work.
You're the first player.
I ***** you would ***** it.
enjoy
like
wish
hope
expect
Happy
Have a
Christmas
New year
Saint Valentine's Day
Allhallowmas
April Fools' Day
Lady Day
Assumption
Candlemas
All Souls'Day
Epiphany


where ***** is a word randomly selected from the following list:

new
funny
nice
humour
excite
good
powful
WinXP
IE 6.0
W32.Elkern
W32.Klez.E
Symantec
Mcafee
F-Secure
Sophos
Trendmicro
Kaspersky


Klez.H may use address 'spoofing' to make the e-mail it sends appear as if it has come from another machine. It uses addresses that it locates in the infected system to display in the "From" line of the e-mail.

The worm can also send a message with the Subject:

“Worm Klez.E immunity”

and the message body:

“Klez.E is the most common world-wide spreading worm.It's very dangerous by corrupting your files. Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it. We developed this free immunity tool to defeat the malicious virus. You only need to run this tool once,and then Klez will never come into your PC. NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV monitor maybe cry when you run it. If so,Ignore the warning,and select 'continue'. If you have any question,please mail to me.”

When the attachment is executed, the worm drops a copy of itself into the System directory. It then sets up a registry key to run itself on Windows startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\="C:\WINDOWS\SYSTEM\"

The file name and registry value name are identical, and are randomly generated, but always begin with "Wink". For example, "Winkhj.exe".

The worm creates further copies of itself by inserting its code into .rar archives. Note: On machines where Klez.H has activated, CA antivirus solutions report these files as infected; users need to manually delete infected files located inside archives.

Klez.H also drops and activates a polymorphic virus - Win32/Wqk.C.

The encrypted text inside the worm code reads:

“ & Win32 Foroux V1.0
Copyright 2002,made in Asia
About Klez V2.01:
1,Main mission is to release the new baby PE virus,Win32 Foroux
2,No significant change.No bug fixed.No any payload.
About Win32 Foroux (plz keep the name,thanx)
1,Full compatible Win32 PE virus on Win9X/2K/NT/XP
2,With very interesting feature.Check it!
3,No any payload.No any optimization
4,Not bug free,because of a hurry work.No more than three weeks from having such idea to accomplishing coding and testing”


Klez also acts as a companion virus. It locates a Win32 PE program, copies it under a different name (using a random extension) and overwrites the original with the worm code (e.g. - it copies MSACCESS.EXE to MSACCESS.UYI and overwrites the original MSACCESS.EXE).

During this action the virus does not increase the size of the infected program and keeps its original resources so, it presents a user with the same icon. The copy of the original file is marked as system and hidden. It is also compressed. As such, the file is no longer a Win32 executable. When a user executes a file that has been overwritten with the worm code - for example - MSACCESS.EXE, the worm runs first, then it locates, decompresses and executes the original program.

Detection for this worm has been added to Computer Associates antivirus solutions. Install the latest relevant update to ensure protection.

InoculateIT Engine Virus Signature Update Files, Version 23.53.05 (Engine version 23.53.00)

Vet Engine Virus Signature Update Files, Vet sig will be 10.4.1987

Inoculan 4.0/InoculateIT 4.5x Virus Signature Update Files, Version 35.05 (Engine version 35.00)

For more information, please visit the Win32.Klez.H description in our Virus Encyclopedia.

firemed9 wrote:i keep getting it over and over from people i know and people i dont, and it seems to be sending out from my email also. Norton keeps catching it on the inbound though and quarantining it, but i still think i caught it. Norton has no current fix for it, any suggestions other than a sledge hammer to get rid of this virus?

There is a tool out in the net, called <b>FixKlez</b>. It works really good in cases where not too many files are infected. If anybody want to give it a try, i have it here.

Keygun

I have been getting alot of them myself usually about 2 or 3 per day. Wish it would stop, Donnie G.

Gee, I haven't gotten any. I must be lucky. Either that or the virus filtering email server my school has must actually work.

For the record, I don't use MS Outlook, so don't worry about mass quantity of crap email coming from me. I never have, and I never will use Outlook (sorry Bill G.)

Of coarse, everyone is free to use whatever email proggie they want, no matter how susceptible to abuse it is.

I'm with Alex and Will. Unix=novirus.