IMPORTANT W32/Klez.h@MM Virus havok!

Status
Not open for further replies.

Phantasm66

Posts: 4,909   +8
PLEASE READ THIS

We are having A LOT of trouble at my work with a very nasty and very clever virus called Klez.

Please read this:

http://vil.mcafee.com/dispVirus.asp?virus_k=99455

The virus works by, amongst other devious things, searching the network for directory shares with "everyone write" access, and writing copies of itself into these.

This virus is making havok at my work LAN, and I am racing to beat it at every turn. Every time I stamp out one machine, one dumb *** user logs themselves onto another machine and loads injected files from their home directory before I have had time to clean that, and then infects another machine as well.

The virus seems very clever at breaking anti-virus software once its infected a box. Its made such a mess of certain machines, I have had to reinstall them.

But how do you figure out which machine on your LAN is sending out the virus when it writes to shares???/

Here is how:

1)Share a folder on your machine on the your LAN, and make the share permissions everyone full control.

2)Download this program:

http://146.191.34.65/sessionlogger.exe


I swear that this file is clean, and was written by a friend of mine.

3)Open a command prompt, and run sessionlogger.exe

4)This will log sessions to c:\sessions.txt.

5)Open another command prompt, and type

more c:\sessions.txt

6)Periodically repeat step 5, checking for changes in the file. You will see the computer name of any machine trying to send files to your share.


Good luck! This virus is really earning me my wages this week.

Any more information and I will report.

Many thanks to the Doctor at my work who wrote the sessionlogger.exe program.


Lord Phantazmm.
 
Received from Sophos :

SOPHOS USERS ALREADY PROTECTED AGAINST "KLEZ.H" WORM

Sophos has received a significant number of enquiries about
a new computer worm called "Klez.H" following media reports
and alerts by other anti-virus vendors.

Sophos would like to reassure its customers that, unlike users
of other anti-virus products, if they have kept their Sophos
anti-virus software up-to-date they have been capable of
protecting against this latest variant of the destructive Klez
worm for over two months.

The March 2002 (3.55) edition of Sophos Anti-Virus protects
against the new Klez variant via its detection of an earlier
variant, W32/Klez-G, and protection was first made available
on 7 February 2002. Therefore, Sophos will detect "Klez.H" as
"W32/Klez-G". You can read more about W32/Klez-G at:
http://www.sophos.com/virusinfo/analyses/w32klezg.html

Sophos reminds users that its MailMonitor for SMTP on
Windows NT/2000 gateway product can dramatically reduce the
threat of new and unknown viruses. Through its innovative
threat reduction technology it is capable of blocking dangerous
file types from entering your organisation. More details
on the threat reduction technology can be found at:
http://www.sophos.com/pressoffice/pressrel/uk/20020403mm.html

Sincerely

Sophos technical support
 
I guess I should have warned you earlier, good that someone actually did.
Do I open attachments I receive from University of Uzhgorod, from someone I've never heard of? Of course ;)

Return-Path: <nebola@univ.uzhgorod.ua>
Delivered-To: me
Received: (qmail 32348 invoked from network); 19 Apr 2002 15:53:23 -0000
Received: from unknown (HELO hades.univ.uzhgorod.ua) (194.44.230.1)
by mail.yifansoft.com with SMTP; 19 Apr 2002 15:53:23 -0000
Received: from Czg (dialup1.univ.uzhgorod.ua [194.44.230.201])
by hades.univ.uzhgorod.ua (8.10.2/8.10.2) with SMTP id g3JG3Vr14529
for <me>; Fri, 19 Apr 2002 19:03:34 +0300
Date: Fri, 19 Apr 2002 19:03:34 +0300
Message-Id: <200204191603.g3JG3Vr14529@hades.univ.uzhgorod.ua>
From: clord <clord@Dtcc.com>
To: me
Subject: W32.Elkern removal tools
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=P5387PH2E1

--P5387PH2E1
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

<HTML><HEAD></HEAD><BODY>

<FONT>W32.Elkern is a special dangerous virus that can infect on Win98/Me/2000/XP.<br>
F-Secure give you the special W32.Elkern removal tools<br>
<br>
For more information,please visit http://www.F-Secure.com</FONT></BODY></HTML>

--P5387PH2E1
Content-Type: application/octet-stream;
name=setup.exe
Content-Transfer-Encoding: base64
Content-ID: <A290t1tEM01zy9>
 
F-Secure Virus Descriptions


Radar Alert LEVEL 2
NAME: Klez.H
ALIAS: I-Worm.Klez.H, W32/Klez.H, Klez.K (Messagelabs), Klez.G (Trend)



THIS VIRUS IS RANKED AS LEVEL 2 ALERT UNDER F-SECURE RADAR.
For more information, see: http://www.F-Secure.com/products/radar/




The new version of the Klez worm has been found from various parts of Asia on April 17th, 2002. Klez.H is most likely currently spreading to Europe and USA. This worm like its previous versions sends e-mail messages with randomly named attachments and subject fields.

The Klez.H variant it quite close to Klez.E, F and G worm variants. The descripions of Klez.E, F and G variants can be found here:

http://www.europe.f-secure.com/v-descs/klez.shtml


F-Secure Virus Research Team found the following differences in Klez.H variant comparing to its previous versions:

1. There's no payload routine.

2. The .PDF extension was added to the list of extensions that the worm uses to make a double-extension name for its file.

3. The worm sometimes uses social engineering approach in its spreading and sends the following message with its own file attached:

Subject:


Worm Klez.E immunity

Body:


Klez.E is the most common world-wide spreading worm.It's very
dangerous by corrupting your files.
Because of its very smart stealth and anti-anti-virus
technic,most common AV software can't detect or clean it.
We developed this free immunity tool to defeat the malicious
virus.
You only need to run this tool once,and then Klez will never
come into your PC.
NOTE: Because this tool acts as a fake Klez to fool the real
worm,some AV monitor maybe cry when you run it.
If so,Ignore the warning,and select 'continue'.
If you have any question,please mail to me.

The 'mail to me' is represented as a link to the sender's e-mail address. Note that this address is not always the real sender's address.

4. The worm contains a new text message from its author. This text is never displayed:


Win32 Klez V2.01 & Win32 Foroux V1.0
Copyright 2002,made in Asia
About Klez V2.01:
1,Main mission is to release the new baby PE virus,Win32 Foroux
2,No significant change.No bug fixed.No any payload.
About Win32 Foroux (plz keep the name,thanx)
1,Full compatible Win32 PE virus on Win9X/2K/NT/XP'
2,With very interesting feature.Check it!
3,No any payload.No any optimization'
4,Not bug free,because of a hurry work.No more than three weeks
from having such idea to accomplishing coding and testing'

5. The worm drops the new Elkern virus variant. Unlike the previous Klez versions, Klez.H puts the virus dropper into \Program Files\ folder with a random name and activates it.

6. The worm added 2 more names to the list of anti-virus companies that it previously had:


Trendmicro
Kaspersky

These names are used by the worm to compose messages when it sends itself as a virus removal tool from anti-virus companies.

7. It was also noticed that latest Klez variants including Klez.H can send out user's files with its message. The worm can randomly pick up a file with one of the following extensions and attach it to its infected message:


.txt
.htm
.html
.wab
.asp
.doc
.rtf
.xls
.jpg
.cpp
.c
.pas
.mpg
.mpeg
.bak
.mp3
.pdf

So in some cases user's comfidential data can be sent out from an infected system.
 
You might get a spam e-mail saying its got a fix for the virus and a file attachment that says it has a "cure". Delete this immediately.

More machines till found with this. I am fighting a battle.
 
I've received this virus twice now in the same day, both times the return address was invalid, and the one of the subjects was "The Garden of Eden". Both times it was Klez.G.
 
Originally posted by Phantasm66
You might get a spam e-mail saying its got a fix for the virus and a file attachment that says it has a "cure". Delete this immediately.
Yep, in case someone didn't understand my post, I got just that, I was told that attached app will cure it. Yeah, right.
 
I'm still waiting for my virus. :( Where is it? Someone has to have a virus locked somewhere; send it to me.
 
/me tip toes in the room, all sweaty & nervous with a box shaking in his hands...

/me carefully places the box on the floor...

There it is. Be very carefull. The only way I caught it was by playing Celine Dion music really loud. He got knocked out after 2 hours. Now he's very pissed off. I wouldn't stick my finger in there if I were you.;)

Ah the heck with it !!!

/me shoves the Virus down Poertner's pants.

:D
 
Originally posted by erwin1978
I'm still waiting for my virus. :( Where is it? Someone has to have a virus locked somewhere; send it to me.

If you are able to make it to our IRC channel I told you that someone would be able to send one to you. I am not going to post one on this site, nor any other. So if you really need one, come to the channel

P.S. And if you do join, I will give you my personal special virus....Right Didou ;) ;)
 
Why the Klez worm just won't go away

Why the Klez worm just won't go away
Every time a virus or worm -- like Klez -- wreaks havoc across the globe, it's inevitably followed by copycat variants. So how can you protect yourself against these viral descendants? Robert offers some advice.

By Robert Vamosi for AnchorDesk.com

Soon after a virus or worm wreaks havoc across the globe, it's often followed by copycat variants. For example, within days of the original ILOVEYOU virus infection that took place two years ago, some 40 ILOVEYOU variants circulated on the Internet, each with its own distinctive quirk.

Why is this? Because for every virus that is successful (i.e., can spread itself and do damage on remote computers), there are hundreds of viruses that never see the light of day. So when a virus manages to unleash itself on the world, other virus writers try to ride that success and personalise the digital miscreant with their own messages. Luckily, most antivirus programs can stop these copycats before they hit your computer.
Since the first of this year, I've seen variants of popular viruses that are quite robust. The copies are often stronger than the original, as though the primary author was not satisfied with the original release and tweaked it to make it more destructive.

First, the Maldal family descendants Reeezak and Maldal.I appeared around the New Year. Then, at the end of March, several versions of the MyLife worm cropped up. Currently, a new version of the Klez worm is circulating worldwide.

The original Klez.A worm first appeared in October 2001, arriving as an email in which the sender asked for employment. Within the body text of the original Klez.A email, the author wrote:

I'm sorry to do so, but it's helpless to say sorry. I want a good job, I must support my parents. Now you have seen my technical capabilities. How much my year-salary now? NO more than $5,500. What do you think of this fact? Don't call my names, I have no hostility. Can you help me?

What distinguishes Klez from other worms is that it carries a second virus, the Elkern virus. Thus, Klez is sometimes known as the "twin virus." The original Elkern virus infected only executable files on Windows 2000, by injecting virus code into empty file cavities. The upgraded Elkern.C virus (available in Klez.H) now infects executable files on all platforms of Windows.
The author apparently sees Klez as a work in progress, even providing within the code a text file that explains what is different in this new release. Here's part of the text included within the latest release:

Win32 Klez V2.01 & Win32 Foroux V1.0 Copyright 2002,made in Asia About Klez V2.01: 1,Main mission is to release the new baby PE virus,Win32 Foroux 2,No significant change.No bug fixed.No any payload. About Win32 Foroux (plz keep the name,thanx)... Not bug free,because of a hurry work.No more than three weeks from having such idea to accomplishing coding and testing.
Note: Win32.Foroux is the author's name for the Elkern virus.)

Judging by clues within the Klez worm code, some believe it may originate from the Guangdong province of China -- the same place where last summer's Code Red is thought to have come from.

What can be done to better protect you from virus copycats? More antivirus software makers should offer one signature definition file designed to block all probable variations of a single family of viruses. Some vendors already do this. Also, you should be vigilant about keeping your antivirus software up to date with the latest virus signatures. See this article for more advice.

Until both you and all the antivirus companies take these precautions, every time a new "successful" virus appears, you can expect at least one or two robust variations to follow.

source: http://www.anchordesk.co.uk/anchordesk/commentary/columns/0,2415,7112100,00.html
 
When will it stop is what I'd like to know. I get 3-4 'virus' emails everyday (for the past 10-12 days) & my anti-virus software (AVG www.grisoft.com) is catching every instance (verified by Norton & McAfee scans), but what a pain! :blackeye:

Any email w/an attachment (from an unknown source) is getting nuked whether AVG says it's 'infected' or not. I've had to institute 'code words' to be included in emails w/attachments from people I know. No code word: nuke it!

Guess 'til this is cleared up, I need to 'filter' my email inbox to accept ONLY people in my address book & continue all my others 'precautions' too.

Thanks for the info & I hope someone kills this d@mn thing. If anyone has any suggestions/programs that will send this thing back where it originated ... please speak up!
 
Status
Not open for further replies.
Back