Tech Support banner

Status
Not open for further replies.
1 - 7 of 7 Posts

·
hey
Joined
·
10,189 Posts
Discussion Starter #1
Another member of the Klez worm family is spreading fast across the Internet. Klez.h ([email protected], also known as Klez.g and Klez.k) is a significant variation of existing worms Klez.e and Klez.a.
Klez.h has evolved dramatically enough to be able to slip past recent antivirus signature files on some PCs. A few users will need to update their antivirus signature files to specifically include Klez.h. Because of its rapid spread, Klez.h rates a 6 on the ZDNet Virus Meter.

How it works
Klez.h arrives as e-mail with a subject line that contains 1 of approximately 120 phrases, such as:
Re: A WinXP patch
Undeliverable mail--"(random)"
Returned mail--"(random)"
(random)(random) game
(random) (random) tool
(random) (random) website
(random) (random) patch
(random) removal tools
how are you
let's be friends
darling

Some of the random words above are specific antivirus software vendor names or virus-specific names. The body text of the infected e-mail also has many variations and may include one of the following:

This is a special humour game
This is my first work.
Your're the first player.
I would expect you would enjoy it (virus name) is a dangerous virus that spread through email. (Antivirus vendor) give you the (virus name) removal tools. For more information, please visit http://www.(antivirus vendor).com

Once active on a PC, Klez.h bypasses installed e-mail software by using its own SMTP server to send infected copies of itself. To locate addresses, the worm searches files on the hard drive, looking for various file extensions that may contain e-mail addresses. On networked drives, Klez.h will simply copy itself to remote disk drives by creating a random filename, then adding an .exe, .pif, .com, .bat, or .scr extension.

Like several other recent worms, Klez.h attempts to disable antivirus software installed on the infected computer. For more details regarding the original Klez worm, see this alert; for details on the previous variation Klez.E, see this alert.

Klez.h contains an upgraded version of the Elkern virus. Elkern.c (w32.elkern.c) runs under Windows 98, Me, 2000, and XP. Elkern.c adds a hidden file, wqk.exe, to Registry entry HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WQK, which is in Windows 98 and Me. Under Windows 2000 and XP, it adds wqk.dll to Registry key HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Windows\AppInit_DLLs. These files are added so that Elkern.c runs anytime Windows is run. Elkern.c can corrupt files without changing their size.

Prevention
Klez.h uses a well-known vulnerability in Outlook Express that is included in versions of Internet Explorer 5.01 and 5.5. Microsoft has previously released a patch for this. Users who have not loaded the patch are encouraged to do so or to upgrade to Internet Explorer 6 using the full installation setting.

Removal
All antivirus software companies have updated their signature files to include Klez.h. This will stop the infection upon contact and in some cases additional tools are available to help you remove an active infection from your system. For more information, see Central Command, Computer Associates, F-Secure, Kaspersky,McAfee, Norman, Panda, Sophos, Symantec, and Trend Micro.
 

·
Registered
Joined
·
5 Posts
Klez virus??

I am new to this forum and would really appreciate any help that anybody can supply.
Does anyone have any experience with the Symantec removal tool for this virus? I recently acquired this virus by simply deleting an email. I downloaded the removal tool from Symantec and verified the digital signature and started the tool. The tool had run for over 15 hours and never completed. I also downloaded the patch from Microsoft to fix the problem of receiving a virus without openeing an attachment. When I tried to install it a window opened up saying that this update is not needed on this system. Obviously I need the patch or I wouldn't have gotten the virus. Is the virus affecting the installation of the patch?
I am not at all a computer expert and this is my first virus. Again, any help anyone could provide would be very helpful.

Thank you

mikeh
 

·
Registered
Joined
·
5 Posts
I believe that Norton is off. When I restart the PC, Norton looks as if it is starting up and I get the icon next to the clock. If I move the cursor into the clock box, the the Norton icon disappears. I am at a place of business and my pc is part of a 9 pc network and yes it has spread. The virus doesn't seem to affect our business system program though. What will the antivirus scanner do? Should I disconnect from the network? I followed the directions for the removal tool to a T.
Thanks for the quick reply.

mikeh
 

·
hey
Joined
·
10,189 Posts
Discussion Starter #5
I would remove the network cable from the computer then try cleaning. Nortons should work if it has been updated. Try running live update before scanning. If it is disabling it on startup try following the instructions from Trend Micro or Mcafee.
 

·
Registered
Joined
·
5 Posts
fixed??

I ran the online scan and it helped, but I was unable to delete or clean some infected files as they were in use. I made the changes manually that needed to be done by following the directions supplied by Symantec on their web site. Everything seems to have worked. If I plug the network connection back in to my PC, will the virus be able to access my files again from another infected pc on the network, or do you think my pc should be protected by Norton as I have updated everything possible? I still need to clean every PC in the network, correct?
Thanks again for your help.

mikeh
 

·
hey
Joined
·
10,189 Posts
Discussion Starter #7
I would make sure all the computers on the network are clean first. If they all run norton update nortons and scan them. If they all come up clean then go ahead and plug the computers back in.
 
1 - 7 of 7 Posts
Status
Not open for further replies.
Top