VIRUS!!! VIRUS!!! VIRUS!!!!! BE CAREFUL!!!
virus info.html Sandeep Kurliye Certified Oracle DBA Almoayyed International Group Almoayyed Computers, PO Box 26259, Manama, Bahrain. Ph. 973-700777 Fax.973-701211 Email. [EMAIL PROTECTED] Title: McAfee - AVERT Buy Products Try Products Download Updates Products Downloads Support Services AVERT Partners About McAfee Virus Alerts Anti-Virus Updates Virus Information Library - Overview - Newly Discovered Viruses - Recently Updated Viruses - Hoaxes - Virus Calendar - White Papers AVERT Research Center AVERT WebImmune Virus Name Risk Assessment W32/Klez.h@MM Medium Virus Information Discovery Date: 04/17/2002 Origin: Unknown Length: approx 90kB Type: Internet Worm SubType: Win32 Minimum Dat: 4182 Minimum Engine: 4.0.70 DAT Release Date: 01/23/2002 Description Added: 04/17/2002 Description Modified: 04/26/2002 8:38 AM (PT) Description Menu Virus Characteristics Symptoms Method Of Infection Removal Instructions Variants / Aliases Rate this page Print This Page Virus Characteristics --- Update 4/18/2002 ---AVERT has raised the risk assessment of this threat to Medium after seeing an increase in prevalence over the past 24 hours. Home users are at a greater risk of infection, as they tend to update their DATs less frequently then corporations. As such, the risk of becoming infected in a corporate environment is lower. This latest W32/Klez variant is already detected as W32/Klez.gen@MM by McAfee products using the 4182 DATs (23 January 2002) or greater. W32/Klez.h@MM has a number of similarities to previous W32/Klez variants, for example: W32/Klez.h@MM makes use of Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability in Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2). the worm has the ability to spoof the From: field (often set to an address found on the victim machine). the worm attempts to unload several processes (antivirus programs) from memory. Including those containing the following strings: _AVP32 _AVPCC NOD32 NPSSVC NRESQ32 NSCHED32 NSCHEDNT NSPLUGIN NAV NAVAPSVC NAVAPW32 NAVLU32 NAVRUNR NAVW32 _AVPM ALERTSVC AMON AVP32 AVPCC AVPM N32SCANW NAVWNT ANTIVIR AVPUPD AVGCTRL AVWIN95 SCAN32 VSHWIN32 F-STOPW F-PROT95 ACKWIN32 VETTRAY VET95 SWEEP95 PCCWIN98 IOMON98 AVPTC AVE32 AVCONSOL FP-WIN DVP95 F-AGNT95 CLAW95 NVC95 SCAN VIRUS LOCKDOWN2000 Norton Mcafee Antivir The worm is able to propagate over the network by copying itself to network shares (assuming sufficient permissions exist). Target filenames are chosen randomly, and can have single or double file extensions. For example: 350.bak.scr bootlog.jpg user.xls.exe The worm may also copy itself into RAR archives, for example: HREF.mpeg.rar HREF.txt.rar lmbtt.pas.rar The worm mails itself to email addresses in the Windows Address Book, plus addresses extracted from files on the victim machine. It arrives in an email message whose subject and body is composed from a pool of strings carried within the virus (the virus can also add other strings obtained from the local machine). For example:Subject: A very funny website or Subject: 1996 Microsoft Corporation or Subject: Hello,honey or Subject: Initing esdi or Subject: Editor of PC Magazine. or Subject: Some questions or Subject: Telephone number The file attachment name is again generated randomly, and ends with a .exe, .scr, .pif, or .bat extension, for example: ALIGN.pif User.bat line.bat Thanks to the use of the exploit described above, simply opening or previewing the message in a vulnerable mail client can result in infection of the victim machine. W32/Klez.h@MM masquerades as a free immunity tool in at least one of the messages used. Below is the message sent by the virus itself.Subject: Worm Klez.E Immunity Body: Klez.E is the most common world-wide spreading worm. It's very dangerous by corrupting your files. Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it.We developed this free immunity tool to defeat the malicious virus. You only need to run this tool once,and then Klez will never come into your PC. NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV monitor maybe cry when you run it. If so,Ignore the warning,and select 'continue'. If you have any question,please mail to me. The worm may send a clean document in
RE: VIRUS!!! VIRUS!!! VIRUS!!!!! BE CAREFUL!!!
HELP -Original Message- Sent: Tuesday, April 30, 2002 5:48 AM To: Multiple recipients of list ORACLE-L virus info.html Sandeep Kurliye Certified Oracle DBA Almoayyed International Group Almoayyed Computers, PO Box 26259, Manama, Bahrain. Ph. 973-700777 Fax.973-701211 Email. [EMAIL PROTECTED] -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Farnsworth, Dave INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
OT: VIRUS!!! VIRUS!!! VIRUS!!!!! BE CAREFUL!!!
Hmm - this seems to be a particularly powerful and dangerous infection, three times more powerful than the 'standard'. Luckily, the 'V-word' virus causes no damage other than slightly clogging up mailboxes. The fact that this example uses the word 3 times would make it particularly bad, but multiple exclamation marks are a dead giveaway, and most of us can delete the message manually. Although this 'V-Word' virus is one of the most common email problems (along with other spam), anti-virus programs *still* refuse to recognise it and delete any message that uses the 'V-Word' with multiple exclamation marks. Don't panic - just follow these simple steps: 1) Trust no-one 2) Prevent this insidious virus from spreading any further by not posting any replies containing the 'V-Word' virus. Simon Anderson (Note to the humour impaired - just ignore me, it's been a slow week ;-) Please respond to [EMAIL PROTECTED] To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc:(bcc: Simon Anderson/SSplc) HELP -Original Message- Sent: Tuesday, April 30, 2002 5:48 AM To: Multiple recipients of list ORACLE-L virus info.html Sandeep Kurliye Certified Oracle DBA Almoayyed International Group Almoayyed Computers, PO Box 26259, Manama, Bahrain. Ph. 973-700777 Fax.973-701211 Email. [EMAIL PROTECTED] -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: VIRUS!!! VIRUS!!! VIRUS!!!!! BE CAREFUL!!!
Use non-Windoze workstation! JP On Tue 30. April 2002 13:33, you wrote: HELP -Original Message- Sent: Tuesday, April 30, 2002 5:48 AM To: Multiple recipients of list ORACLE-L virus info.html Sandeep Kurliye Certified Oracle DBA Almoayyed International Group Almoayyed Computers, PO Box 26259, Manama, Bahrain. Ph. 973-700777 Fax.973-701211 Email. [EMAIL PROTECTED] -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Jan Pruner INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: VIRUS!!! VIRUS!!! VIRUS!!!!! BE CAREFUL!!!
Are you an idiot? :-) On Tue 30. April 2002 13:33, you wrote: HELP -Original Message- Sent: Tuesday, April 30, 2002 5:48 AM To: Multiple recipients of list ORACLE-L virus info.html Sandeep Kurliye Certified Oracle DBA Almoayyed International Group Almoayyed Computers, PO Box 26259, Manama, Bahrain. Ph. 973-700777 Fax.973-701211 Email. [EMAIL PROTECTED] -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Jan Pruner INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: VIRUS!!! VIRUS!!! VIRUS!!!!! BE CAREFUL!!!
JP and list, My mail server detected a virus in the original message and deleted it. JP is your response to a valid message that you read? Ron ROR mô¿ôm [EMAIL PROTECTED] 04/30/02 08:43AM Use non-Windoze workstation! JP On Tue 30. April 2002 13:33, you wrote: HELP -Original Message- Sent: Tuesday, April 30, 2002 5:48 AM To: Multiple recipients of list ORACLE-L virus info.html Sandeep Kurliye Certified Oracle DBA Almoayyed International Group Almoayyed Computers, PO Box 26259, Manama, Bahrain. Ph. 973-700777 Fax.973-701211 Email. [EMAIL PROTECTED] -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Jan Pruner INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Ron Rogers INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: VIRUS!!! VIRUS!!! VIRUS!!!!! BE CAREFUL!!!
Well, it was the answer on Dave's email. Every day I get about 3-4 emails from servers without antivirus and from users without basic knowledge of don't click on all attachments in your emails. I removed all Microsoft OS from computers in our company 3 years ago. So, I only laugh reading news about Sircam, Klez.K etc. Jan Pruner On Tue 30. April 2002 18:53, you wrote: JP and list, My mail server detected a virus in the original message and deleted it. JP is your response to a valid message that you read? Ron ROR mô¿ôm [EMAIL PROTECTED] 04/30/02 08:43AM Use non-Windoze workstation! JP On Tue 30. April 2002 13:33, you wrote: HELP -Original Message- Sent: Tuesday, April 30, 2002 5:48 AM To: Multiple recipients of list ORACLE-L virus info.html Sandeep Kurliye Certified Oracle DBA Almoayyed International Group Almoayyed Computers, PO Box 26259, Manama, Bahrain. Ph. 973-700777 Fax.973-701211 Email. [EMAIL PROTECTED] -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Jan Pruner INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
