[home] | [profile] | [register] | [help] | [Contact Us] |
[Sections]
[Virus Warnings]
this page |
Virus Warnings | [Tell someone about this] |
---|
By | Klez Virus Worm |
---|---|
Bill Williams
| Uploaded - 1 Jun 2002 13:29Klez Virus WormHere is the description of the virus, from the Norton website, so that you can recognise its eMails. Note the nasty trick near the bottom where a virus pretends to be a fix for Klez. Note that to prevent it (and similar viruses) infecting your computer by merely looking at the email, if you are using Windows and Outlook Express or Outlook as your email program you should upgrade to at least IE5.5 Service Pack 2 Link plus a suitable patch available at However that patch has been superceded and it is best to use this one http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-023.asp Link] {also needed for IE 6 in Win-XP}
This worm searches the Windows address book, the ICQ database, and local files for email addresses. The worm sends an email message to these addresses with itself as an attachment. The worm contains its own SMTP engine and attempts to guess at available SMTP servers. For example, if the worm encounters the address user@abc123.com it will attempt to send email via the server smtp.abc123.com. The subject line, message bodies, and attachment file names are random. The From address is randomly-chosen from email addresses that the worm finds on the infected computer. In addition to the worm attachment, the worm also may attach a random file from the computer. The file will have one of the following extensions: As a result, the email message would have 2 attachments, the first being the worm and the second being the randomly-selected file. The email message that this worms sends is composed of "random" strings. The subject can be one of the following: Undeliverable mail--"[Random word]" The random word will be one of the following: The body of the email message is random. NOTES: For example, Linda Anderson is using a computer that is infected with W32.Klez.H@mm. Linda is not using a antivirus program or does not have current virus definitions. When W32.Klez.H@mm performs its emailing routine, it finds the email address of Harold Logan. It inserts Harold's email address into the "From:" portion of an infected message that it then sends to Janet Bishop. Janet then contacts Harold and complains that he sent her an infected message, but when Harold scans his computer, Norton AntiVirus does not find anything--as would be expected--because his computer is not infected. If you are using a current version of Norton AntiVirus and have the most recent virus definitions, and a full system scan with Norton AntiVirus set to scan all files does not find anything, you can be confident that your computer is not infected with this worm. There have been several reports that, in some cases, if you receive a message that the virus has sent using its own SMTP engine, the message appears to be a "postmaster bounce message" from your own domain. For example, if your email address is jsmith@anyplace.com, you could receive a message that appears to be from postmaster@anyplace.com, indicating that you attempted to send email and the attempt failed. If this is the false message that is sent by the virus, the attachment includes the virus itself. Of course, such attachments should not be opened. The message may be disguised as an immunity tool. One version of this false message is as follows: quote: If the message is opened in an unpatched version of Microsoft Outlook or Outlook Express, the attachment may be automatically executed. Information about this vulnerability and a patch are available at Virus Insertion: |
Bill Williams | Uploaded - 24 Jul 2002 17:25 BEWARE OF TRICKS. This email which I received today, probably carried a copy of the REAL virus, not an anti-virus tool. quote: Bill |
Implemented by Bill Williams (IT)
based on ASP Forum.
6900
adv19_96.gif