This is some info on Kez. It Pays to check that your
ISP also scans incomeing mail as well as out going.My
ISP has done a great job in this.We have Had one and
one only. I run AVG and do a update ceck each day.
Virus Profile
Virus Information
Name: W32/Klez.h@MM
Risk Assessment
- Home Users: Medium
- Corporate Users: Medium
Date Discovered: 4/17/2002
Date Added: 4/17/2002
Origin: Unknown
Length: approx 90kB
Type: Internet Worm
SubType: Win32
DAT Required: 4182
Quick Links
Virus Characteristics
Indications of Infection
Method of Infection
Removal Instructions
Aliases
Send Virus Info via Email
Buy or Update
New Users Get Protected Now:
Buy VirusScan Online
Update VirusScan Online
Download the latest DAT files
Virus Characteristics
W32/Klez.h@MM has a number of similarities to previous
W32/Klez variants, for example:
W32/Klez.h@MM makes use of Incorrect MIME Header Can
Cause IE to Execute E-mail Attachment vulnerability in
Microsoft Internet Explorer (ver 5.01 or 5.5 without
SP2).
the worm has the ability to spoof the From: field
(often set to an address found on the victim's
machine).
the worm attempts to unload several processes
(antivirus programs) from memory including those
containing the following strings:
_AVP32
_AVPCC
NOD32
NPSSVC
NRESQ32
NSCHED32
NSCHEDNT
NSPLUGIN
NAV
NAVAPSVC
NAVAPW32
NAVLU32
NAVRUNR
NAVW32
_AVPM
ALERTSVC
AMON
AVP32
AVPCC
AVPM
N32SCANW
NAVWNT
ANTIVIR
AVPUPD
AVGCTRL
AVWIN95
SCAN32
VSHWIN32
F-STOPW
F-PROT95
ACKWIN32
VETTRAY
VET95
SWEEP95
PCCWIN98
IOMON98
AVPTC
AVE32
AVCONSOL
FP-WIN
DVP95
F-AGNT95
CLAW95
NVC95
SCAN
VIRUS
LOCKDOWN2000
Norton
Mcafee
Antivir
The worm is able to propagate over the network by
copying itself to network shares (assuming sufficient
permissions exist). Target filenames are chosen
randomly, and can have single or double file
extensions. For example:
350.bak.scr
bootlog.jpg
user.xls.exe
The worm may also copy itself into RAR archives, for
example:
HREF.mpeg.rar
HREF.txt.rar
lmbtt.pas.rar
The worm mails itself to email addresses in the
Windows Address Book, and to addresses extracted from
files on the victim's machine. It arrives in an email
message whose subject and body is composed from a pool
of strings carried within the virus (the virus can
also add other strings obtained from the local
machine). For example:
Subject: A very funny website
or Subject: Undeliverable mail--
or Subject: Returned mail--
or Subject: A WinXP patch
or Subject: A IE 6.0 patch
or Subject: W32.Elkern removal tools
or Subject: W32.Klez.E removal tools
The file attachment name is again generated randomly,
and ends with an .exe, .scr, .pif, or .bat extension,
for example:
ALIGN.pif
User.bat
line.bat
Thanks to the use of the exploit described above,
simply opening or previewing the message in a
vulnerable mail client can result in an infection of
the victim's machine.
W32/Klez.h@MM masquerades as a free immunity tool in
at least one of the messages used. Below is the
message sent by the virus itself.
Subject: Worm Klez.E Immunity
Body: Klez.E is the most common world-wide spreading
worm. It's very dangerous by corrupting your files.
Because of its very smart stealth and anti-anti-virus
technic,most common AV software can't detect or clean
it.We developed this free immunity tool to defeat the
malicious virus. You only need to run this tool
once,and then Klez will never come into your PC.
NOTE: Because this tool acts as a fake Klez to fool
the real worm,some AV monitor maybe cry when you run
it. If so,Ignore the warning,and select 'continue'. If
you have any question,please mail to me.
The worm may send a clean document in addition to an
infected file. A document found on the hard disk, that
contains one of the following extensions, is sent:
.txt
.htm
.html
.wab
.asp
.doc
.rtf
.xls
.jpg
.cpp
.c
.pas
.mpg
.mpeg
.bak
.mp3
.pdf
This payload can result in confidental information
being sent to others.
Indications Of Infection
Randomly/oddly named files on network shares, as
described above.
Reference to a WINKxxx.EXE file ("xxx" looks random)
in a Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Method Of Infection
This virus can be considered a blended threat. It
mass-mails itself to email addresses found on the
local system, exploits a Microsoft vulnerability,
spreads via network shares, infects executables on the
local system, and drops an additional file infecting
virus, W32/Elkern.cav.c.
--- Helen Allen <[EMAIL PROTECTED]> wrote:
> I changed my ISP provider many months ago when I
> went on DSL. This ISP
> scans all mail for viruses before they send them on
> to their customers. They
> don't guarantee that none will get through, but it
> appears they are catching
> all of them so far. If one ISP can do that, it
> appears to me all of them
> could. In addition I have Norton anti-virus, just
> in case.
> Helen Allen
>
>
> Legacy User Group Etiquette guidelines can be found
> at:
> http://www.LegacyFamilyTree.com/Etiquette.asp
>
> To find past messages, please go to our searchable
> archives at:
>
http://www.mail-archive.com/legacyusergroup%40mail.millenniacorp.com/
>
> To unsubscribe please visit:
> http://www.legacyfamilytree.com/LegacyLists.asp
=====
Donald R.Frost Sr.
Frost family history
Ma.Vt.N.H.Me.Ct.
101 Orson Drive.
DeFuniak Springs,Fl.
32433-4064
__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
Legacy User Group Etiquette guidelines can be found at:
http://www.LegacyFamilyTree.com/Etiquette.asp
To find past messages, please go to our searchable archives at:
http://www.mail-archive.com/legacyusergroup%40mail.millenniacorp.com/
To unsubscribe please visit:
http://www.legacyfamilytree.com/LegacyLists.asp
