TechSpot

IMPORTANT W32/Klez.h@MM Virus havok!

By Phantasm66
Apr 24, 2002
  1. PLEASE READ THIS

    We are having A LOT of trouble at my work with a very nasty and very clever virus called Klez.

    Please read this:

    http://vil.mcafee.com/dispVirus.asp?virus_k=99455

    The virus works by, amongst other devious things, searching the network for directory shares with "everyone write" access, and writing copies of itself into these.

    This virus is making havok at my work LAN, and I am racing to beat it at every turn. Every time I stamp out one machine, one dumb *** user logs themselves onto another machine and loads injected files from their home directory before I have had time to clean that, and then infects another machine as well.

    The virus seems very clever at breaking anti-virus software once its infected a box. Its made such a mess of certain machines, I have had to reinstall them.

    But how do you figure out which machine on your LAN is sending out the virus when it writes to shares???/

    Here is how:

    1)Share a folder on your machine on the your LAN, and make the share permissions everyone full control.

    2)Download this program:

    http://146.191.34.65/sessionlogger.exe


    I swear that this file is clean, and was written by a friend of mine.

    3)Open a command prompt, and run sessionlogger.exe

    4)This will log sessions to c:\sessions.txt.

    5)Open another command prompt, and type

    more c:\sessions.txt

    6)Periodically repeat step 5, checking for changes in the file. You will see the computer name of any machine trying to send files to your share.


    Good luck! This virus is really earning me my wages this week.

    Any more information and I will report.

    Many thanks to the Doctor at my work who wrote the sessionlogger.exe program.


    Lord Phantazmm.
     
  2. Arris

    Arris TS Evangelist Posts: 4,627   +113

     
  3. Mictlantecuhtli

    Mictlantecuhtli TS Evangelist Posts: 4,919   +9

    I guess I should have warned you earlier, good that someone actually did.
    Do I open attachments I receive from University of Uzhgorod, from someone I've never heard of? Of course ;)

    Return-Path: <nebola@univ.uzhgorod.ua>
    Delivered-To: me
    Received: (qmail 32348 invoked from network); 19 Apr 2002 15:53:23 -0000
    Received: from unknown (HELO hades.univ.uzhgorod.ua) (194.44.230.1)
    by mail.yifansoft.com with SMTP; 19 Apr 2002 15:53:23 -0000
    Received: from Czg (dialup1.univ.uzhgorod.ua [194.44.230.201])
    by hades.univ.uzhgorod.ua (8.10.2/8.10.2) with SMTP id g3JG3Vr14529
    for <me>; Fri, 19 Apr 2002 19:03:34 +0300
    Date: Fri, 19 Apr 2002 19:03:34 +0300
    Message-Id: <200204191603.g3JG3Vr14529@hades.univ.uzhgorod.ua>
    From: clord <clord@Dtcc.com>
    To: me
    Subject: W32.Elkern removal tools
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    boundary=P5387PH2E1

    --P5387PH2E1
    Content-Type: text/html;
    Content-Transfer-Encoding: quoted-printable

    <HTML><HEAD></HEAD><BODY>

    <FONT>W32.Elkern is a special dangerous virus that can infect on Win98/Me/2000/XP.<br>
    F-Secure give you the special W32.Elkern removal tools<br>
    <br>
    For more information,please visit http://www.F-Secure.com</FONT></BODY></HTML>

    --P5387PH2E1
    Content-Type: application/octet-stream;
    name=setup.exe
    Content-Transfer-Encoding: base64
    Content-ID: <A290t1tEM01zy9>
     
  4. Mictlantecuhtli

    Mictlantecuhtli TS Evangelist Posts: 4,919   +9

    F-Secure Virus Descriptions


    Radar Alert LEVEL 2
    NAME: Klez.H
    ALIAS: I-Worm.Klez.H, W32/Klez.H, Klez.K (Messagelabs), Klez.G (Trend)



    THIS VIRUS IS RANKED AS LEVEL 2 ALERT UNDER F-SECURE RADAR.
    For more information, see: http://www.F-Secure.com/products/radar/




    The new version of the Klez worm has been found from various parts of Asia on April 17th, 2002. Klez.H is most likely currently spreading to Europe and USA. This worm like its previous versions sends e-mail messages with randomly named attachments and subject fields.

    The Klez.H variant it quite close to Klez.E, F and G worm variants. The descripions of Klez.E, F and G variants can be found here:

    http://www.europe.f-secure.com/v-descs/klez.shtml


    F-Secure Virus Research Team found the following differences in Klez.H variant comparing to its previous versions:

    1. There's no payload routine.

    2. The .PDF extension was added to the list of extensions that the worm uses to make a double-extension name for its file.

    3. The worm sometimes uses social engineering approach in its spreading and sends the following message with its own file attached:

    Subject:


    Worm Klez.E immunity

    Body:


    Klez.E is the most common world-wide spreading worm.It's very
    dangerous by corrupting your files.
    Because of its very smart stealth and anti-anti-virus
    technic,most common AV software can't detect or clean it.
    We developed this free immunity tool to defeat the malicious
    virus.
    You only need to run this tool once,and then Klez will never
    come into your PC.
    NOTE: Because this tool acts as a fake Klez to fool the real
    worm,some AV monitor maybe cry when you run it.
    If so,Ignore the warning,and select 'continue'.
    If you have any question,please mail to me.

    The 'mail to me' is represented as a link to the sender's e-mail address. Note that this address is not always the real sender's address.

    4. The worm contains a new text message from its author. This text is never displayed:


    Win32 Klez V2.01 & Win32 Foroux V1.0
    Copyright 2002,made in Asia
    About Klez V2.01:
    1,Main mission is to release the new baby PE virus,Win32 Foroux
    2,No significant change.No bug fixed.No any payload.
    About Win32 Foroux (plz keep the name,thanx)
    1,Full compatible Win32 PE virus on Win9X/2K/NT/XP'
    2,With very interesting feature.Check it!
    3,No any payload.No any optimization'
    4,Not bug free,because of a hurry work.No more than three weeks
    from having such idea to accomplishing coding and testing'

    5. The worm drops the new Elkern virus variant. Unlike the previous Klez versions, Klez.H puts the virus dropper into \Program Files\ folder with a random name and activates it.

    6. The worm added 2 more names to the list of anti-virus companies that it previously had:


    Trendmicro
    Kaspersky

    These names are used by the worm to compose messages when it sends itself as a virus removal tool from anti-virus companies.

    7. It was also noticed that latest Klez variants including Klez.H can send out user's files with its message. The worm can randomly pick up a file with one of the following extensions and attach it to its infected message:


    .txt
    .htm
    .html
    .wab
    .asp
    .doc
    .rtf
    .xls
    .jpg
    .cpp
    .c
    .pas
    .mpg
    .mpeg
    .bak
    .mp3
    .pdf

    So in some cases user's comfidential data can be sent out from an infected system.
     
  5. Phantasm66

    Phantasm66 TS Rookie Topic Starter Posts: 6,504   +6

    You might get a spam e-mail saying its got a fix for the virus and a file attachment that says it has a "cure". Delete this immediately.

    More machines till found with this. I am fighting a battle.
     
  6. Justin

    Justin TS Rookie Posts: 1,595

    I've received this virus twice now in the same day, both times the return address was invalid, and the one of the subjects was "The Garden of Eden". Both times it was Klez.G.
     
  7. Mictlantecuhtli

    Mictlantecuhtli TS Evangelist Posts: 4,919   +9

    Yep, in case someone didn't understand my post, I got just that, I was told that attached app will cure it. Yeah, right.
     
  8. Phantasm66

    Phantasm66 TS Rookie Topic Starter Posts: 6,504   +6

  9. erwin1978

    erwin1978 TS Maniac Posts: 327

    I'm still waiting for my virus. :( Where is it? Someone has to have a virus locked somewhere; send it to me.
     
  10. Didou

    Didou Bowtie extraordinair! Posts: 5,899

    /me tip toes in the room, all sweaty & nervous with a box shaking in his hands...

    /me carefully places the box on the floor...

    There it is. Be very carefull. The only way I caught it was by playing Celine Dion music really loud. He got knocked out after 2 hours. Now he's very pissed off. I wouldn't stick my finger in there if I were you.;)

    Ah the heck with it !!!

    /me shoves the Virus down Poertner's pants.

    :D
     
  11. poertner_1274

    poertner_1274 secroF laicepS topShceT Posts: 4,745

    If you are able to make it to our IRC channel I told you that someone would be able to send one to you. I am not going to post one on this site, nor any other. So if you really need one, come to the channel

    P.S. And if you do join, I will give you my personal special virus....Right Didou ;) ;)
     
     
  12. Phantasm66

    Phantasm66 TS Rookie Topic Starter Posts: 6,504   +6

    Why the Klez worm just won't go away

    source: http://www.anchordesk.co.uk/anchordesk/commentary/columns/0,2415,7112100,00.html
     
  13. JAV

    JAV TS Rookie Posts: 264

    When will it stop is what I'd like to know. I get 3-4 'virus' emails everyday (for the past 10-12 days) & my anti-virus software (AVG www.grisoft.com) is catching every instance (verified by Norton & McAfee scans), but what a pain! :blackeye:

    Any email w/an attachment (from an unknown source) is getting nuked whether AVG says it's 'infected' or not. I've had to institute 'code words' to be included in emails w/attachments from people I know. No code word: nuke it!

    Guess 'til this is cleared up, I need to 'filter' my email inbox to accept ONLY people in my address book & continue all my others 'precautions' too.

    Thanks for the info & I hope someone kills this d@mn thing. If anyone has any suggestions/programs that will send this thing back where it originated ... please speak up!
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.