MTJpub
Verified
- Joined
- Apr 16, 2001
- Messages
- 7,093
- Points
- 38
Virus Alert : The Real Deal
Virus Name: W32/Klez.e@MM
Greeting friends,
About 24hrs ago I received a zip file containing a virus. My anti-virus software detected the virus , quarantined the virus, and I deleted the virus from my system. In short our system was not infected by this virus. This morning I received two additional emails from my own account that contained the virus. Again my trusty anti-virus software eliminated the threat. However it left me concerned. After all, how could I email the virus to myself unless my computer also had the virus...
Well after a frantic call to AOL tech support and a little more research I found that the virus has the ability to spoof the email FROM: field. The senders address used by the virus, may be one that was found on the infected user's system. Thus, it may appear that you have received this virus from one person, when it was actually sent from a different user's system. Viewing the entire email header will display the actual senders address.
I checked this out for myself and the email had in fact not come from me but from another email address. I then checked the original virus that was sent and found that it to had spoofed the email FROM: field and actually originated from another address.
Read Below for additional information on this virus.
The Name of the Virus: w32.klez.gen@mm and several variations of the same name.
Here is the best description I have seen of it so far...
Issued by Enterprise Information Security – March 6, 2002
Virus Name: W32/Klez.e@MM
Aliases Name I-Worm/Klez.E (AVP) W32.Klez.E@mm (Symantec) W32/Klez.F (Panda) Win32.HLLM.Klez.1 (DrWeb) Worm/Klez.E (H+BEDV) WORM_KLEZ.E (Trend)
Virus Characteristics -- Update 3/4/2002 --
Due to a slow, but steady, increase in prevalence over the past few weeks, AVERT has raised the risk assessment of this threat to MEDIUM.
This W32/Klez variant has the ability to spoof the email FROM: field. The senders address used by the virus, may be one that was found on the infected user's system. Thus, it may appear that you have received this virus from one person, when it was actually sent from a different user's system. Viewing the entire email header will display the actual senders address.
This worm makes use of Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability in Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2)
This worm arrives in an Email message with a subject and body randomly composed from a rather long pool of strings that the virus carries inside itself (the virus can also add other strings):
"Hi, Hello, Re: Fw: Undeliverable mail-- Returned mail-- game a tool a website new funny nice humour excite good powful WinXP IE 6.0 W32.Elkern W32.Klez how are you let's be friends darling don't drink too much your password honey some questions please try again welcome to my hometown the Garden of Eden introduction on ADSL meeting notice question naire congratulations sos! japanese girl VS playboy look, my beautiful girlfriend eager to see you spice girls' vocal concert japanese lass' sexy pictures Symantec Mcafee F-Secure Sophos The following mail can't be sent to The attachment The file is the original mail give you the is a dangerous virus that can infect on Win98/Me/2000/XP. spread through email. very special For more information,please visit This is I you would it. enjoy like wish hope expect Christmas New year Saint Valentine's Day Allhallowmas April Fools' Day Lady Day Assumption Candlemas All Souls'Day Epiphany Happy Have a"
In our experiments we have, for example, observed the following Subject lines (more common at the top):
Subject: Document End
Subject: Happy Lady Day
Subject: From
Subject: Eager to see you
Subject: Returned mail--"Document End "
Subject: HEIGHT
Subject: A WinXP patch
Subject: Hi,spice girls' vocal concert
Subject: Happy nice Lady Day
Subject: Have a humour Lady Day
Subject: Happy good Lady Day
Subject: ALIGN
Subject: Have a good Lady Day
Subject: Undeliverable mail--"IIS services with this Web administration tool."
(the virus can also send mails with empty Subject and/or body)
This virus can also unload several antivirus programs from memory.
Method Of Infection When the Email is opened the worm immediately activates using mentioned vulnerability (previewing the message may be enough if your system is not patched). The worm copies itself under WINKxxx.EXE name (where xxx are random characters) into the WINDOWS\SYSTEM folder (can be different if your installation is not a default one) and this file is set to run every time the system starts.
W32/Klez.e@MM is based on the W32/Klez.gen@MM but unlike its predecessors this variant can itself infect files (on top of being able to also drop W95/Elkern.cav.b virus). W32/Klez.e@MM worm overwrites files and they are padded with zeroes to the original uninfected host size. The worm saves original contents of the hosts in files with the same name and random extension. These files are "Hidden" and "System" (to be able to see them you need to change "View/Folder Options" in Windows Explorer by selecting "Show all files").
Running infected files causes the worm to reconstruct the uninfected host file using saved data. Such reconstructed files will have "~1" appended to the name (ex., infected MSOFFICE.EXE will be accompanied by an uninfected MSOFFI~1.EXE). The worm deletes them as soon as the program stops running so they exist only temporarily.
W32/Klez.e@MM sends itself out using SMTP protocol. It harvests the Windows address book for email addresses.
There is a date-activated payload associated with this threat. On the 6th day of March, May, September, or November, the virus may overwrite local and network files containing the following extensions with zeros: .txt, .htm, .html, .wab, .doc, .xls, .jpg, .cpp, .c, .pas, .mpg, .mpeg, .bak, or .mp3.
If the month is January or July, all files may be overwritten. This behavior was not observed in a lab environment.
See what Symantec has to say about this virus...
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]
See what McAfee has to say about this virus...
http://vil.nai.com/vil/content/v_99237.htm
See what PC-cillin has to say about this virus...
http://www.antivirus.com/pc-cillin/vinfo/virusencyclo/default5.asp?VName=WORM_KLEZ.H
Hope this info wll help
Morandilas
Virus Name: W32/Klez.e@MM
Greeting friends,
About 24hrs ago I received a zip file containing a virus. My anti-virus software detected the virus , quarantined the virus, and I deleted the virus from my system. In short our system was not infected by this virus. This morning I received two additional emails from my own account that contained the virus. Again my trusty anti-virus software eliminated the threat. However it left me concerned. After all, how could I email the virus to myself unless my computer also had the virus...
Well after a frantic call to AOL tech support and a little more research I found that the virus has the ability to spoof the email FROM: field. The senders address used by the virus, may be one that was found on the infected user's system. Thus, it may appear that you have received this virus from one person, when it was actually sent from a different user's system. Viewing the entire email header will display the actual senders address.
I checked this out for myself and the email had in fact not come from me but from another email address. I then checked the original virus that was sent and found that it to had spoofed the email FROM: field and actually originated from another address.
Read Below for additional information on this virus.
The Name of the Virus: w32.klez.gen@mm and several variations of the same name.
Here is the best description I have seen of it so far...
Issued by Enterprise Information Security – March 6, 2002
Virus Name: W32/Klez.e@MM
Aliases Name I-Worm/Klez.E (AVP) W32.Klez.E@mm (Symantec) W32/Klez.F (Panda) Win32.HLLM.Klez.1 (DrWeb) Worm/Klez.E (H+BEDV) WORM_KLEZ.E (Trend)
Virus Characteristics -- Update 3/4/2002 --
Due to a slow, but steady, increase in prevalence over the past few weeks, AVERT has raised the risk assessment of this threat to MEDIUM.
This W32/Klez variant has the ability to spoof the email FROM: field. The senders address used by the virus, may be one that was found on the infected user's system. Thus, it may appear that you have received this virus from one person, when it was actually sent from a different user's system. Viewing the entire email header will display the actual senders address.
This worm makes use of Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability in Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2)
This worm arrives in an Email message with a subject and body randomly composed from a rather long pool of strings that the virus carries inside itself (the virus can also add other strings):
"Hi, Hello, Re: Fw: Undeliverable mail-- Returned mail-- game a tool a website new funny nice humour excite good powful WinXP IE 6.0 W32.Elkern W32.Klez how are you let's be friends darling don't drink too much your password honey some questions please try again welcome to my hometown the Garden of Eden introduction on ADSL meeting notice question naire congratulations sos! japanese girl VS playboy look, my beautiful girlfriend eager to see you spice girls' vocal concert japanese lass' sexy pictures Symantec Mcafee F-Secure Sophos The following mail can't be sent to The attachment The file is the original mail give you the is a dangerous virus that can infect on Win98/Me/2000/XP. spread through email. very special For more information,please visit This is I you would it. enjoy like wish hope expect Christmas New year Saint Valentine's Day Allhallowmas April Fools' Day Lady Day Assumption Candlemas All Souls'Day Epiphany Happy Have a"
In our experiments we have, for example, observed the following Subject lines (more common at the top):
Subject: Document End
Subject: Happy Lady Day
Subject: From
Subject: Eager to see you
Subject: Returned mail--"Document End "
Subject: HEIGHT
Subject: A WinXP patch
Subject: Hi,spice girls' vocal concert
Subject: Happy nice Lady Day
Subject: Have a humour Lady Day
Subject: Happy good Lady Day
Subject: ALIGN
Subject: Have a good Lady Day
Subject: Undeliverable mail--"IIS services with this Web administration tool."
(the virus can also send mails with empty Subject and/or body)
This virus can also unload several antivirus programs from memory.
Method Of Infection When the Email is opened the worm immediately activates using mentioned vulnerability (previewing the message may be enough if your system is not patched). The worm copies itself under WINKxxx.EXE name (where xxx are random characters) into the WINDOWS\SYSTEM folder (can be different if your installation is not a default one) and this file is set to run every time the system starts.
W32/Klez.e@MM is based on the W32/Klez.gen@MM but unlike its predecessors this variant can itself infect files (on top of being able to also drop W95/Elkern.cav.b virus). W32/Klez.e@MM worm overwrites files and they are padded with zeroes to the original uninfected host size. The worm saves original contents of the hosts in files with the same name and random extension. These files are "Hidden" and "System" (to be able to see them you need to change "View/Folder Options" in Windows Explorer by selecting "Show all files").
Running infected files causes the worm to reconstruct the uninfected host file using saved data. Such reconstructed files will have "~1" appended to the name (ex., infected MSOFFICE.EXE will be accompanied by an uninfected MSOFFI~1.EXE). The worm deletes them as soon as the program stops running so they exist only temporarily.
W32/Klez.e@MM sends itself out using SMTP protocol. It harvests the Windows address book for email addresses.
There is a date-activated payload associated with this threat. On the 6th day of March, May, September, or November, the virus may overwrite local and network files containing the following extensions with zeros: .txt, .htm, .html, .wab, .doc, .xls, .jpg, .cpp, .c, .pas, .mpg, .mpeg, .bak, or .mp3.
If the month is January or July, all files may be overwritten. This behavior was not observed in a lab environment.
See what Symantec has to say about this virus...
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]
See what McAfee has to say about this virus...
http://vil.nai.com/vil/content/v_99237.htm
See what PC-cillin has to say about this virus...
http://www.antivirus.com/pc-cillin/vinfo/virusencyclo/default5.asp?VName=WORM_KLEZ.H
Hope this info wll help
Morandilas
