I Worm Klez-H Information


	Virus Update 5

Other Useful Free Links:

Free online virus scanning service:
Click the above icon and wait for a few minutes for the program to initialise

Another free online scanning
from
Catcha.
CLICK HERE

Virus Datafile Update
PcCillin
Norton Antivirus
McAfee VirusScan
Dr. Soloman's

Update to Scan Engines
PcCillin
McAfee VirusScan

Your life will be changed if you know what HGH is ?
CLICK HERE to find out.

Klez.H Worm

A new variant of the Klez worm is making the rounds on the Internet, spreading rapidly in Asia and parts of Europe.

Klez.H is a mass-mailing worm that is little different from its older siblings in that it spreads by mailing itself to all of the addresses in the infected machine's Microsoft Corp. Outlook address book. It is also capable of infecting files on shared network drives and copies itself to the Windows registry and modifies the registry so that the virus will execute each time the machine boots up.

NOTE THAT - Simply opening or previewing the message in Microsoft Outlook and Outlook Express can result in infection of the victim's machine, ie, you don't have to open the attached file to release the virus.

Klez.H also attempts to disable any anti-virus software resident on the machine.

The only real distinctions in the new version are a different set of random subject lines for the e-mail message that carries the worm and a little better social engineering on the part of the author.

In one of the messages containing the worm, there is a note explaining that the attached file is actually a tool that can cleanse infected PCs of Klez.

"The main difference is that this one's spreading," said Roger Thompson, director of malicious code research at TruSecure Corp., a managed security service provider in Herndon, Va. "It's gotten lucky and gotten into one or two big companies. And because it can worm its way onto network shares, that tends to be painful."

The new variant seems to have originated in Asia, and Message Labs Ltd., a U.K.-based managed mail services provider that tracks virus activity, had already stopped more than 2200 copies of it as of 4 p.m. EDT Wednesday.

The worm is also known as Klez.K, Klez.G and Klez.I.

Klez.g/h also carries a new version of the partially encrypted Elkern virus. This is capable of spreading through network drives and the new version may be capable of deleting files on a pre-determined date.

The virus comes as an attachment to an email with a variety of subject lines

Here are the different known email subject lines:

Undeliverable mail--"[Random word]"
Returned mail--"[Random word]"
a [Random word] [Random word] game
a [Random word] [Random word] tool
a [Random word] [Random word] website
a [Random word] [Random word] patch
[Random word] removal tools
How are you
Let's be friends
Darling
Don't drink too much
Your password
... Honey
Some questions
Please try again
Welcome to my hometown
the Garden of Eden
introduction on ADSL
Meeting notice
Questionnaire
Congratulations
Sos!
japanese girl VS playboy
Look,my beautiful girl friend
Eager to see you
Spice girls' vocal concert
Japanese lass' sexy pictures

Additional New subject: (22-4-02 update)
xxxx Microsoft Corporation
Visual Studio x.x
Accesskey

[Random Word] will be one of the following:

new
funny
nice
humour
excite
good
powful
WinXP
IE 6.0
W32.Elkern
W32.Klez.E
Symantec
Mcafee
F-Secure
Sophos
Trendmicro
Kaspersky

Attached file: Randomly named with extension .PIF, .SCR, .EXE or .BAT.

The sender address which appears in a message is chosen from a list inside the virus, i.e. the sender address that you see in the email is not the real sender.

Message text: Message text is randomly composed by the worm but the message can also be without a text. ut it also has a message warning about the danger of the Klez worm and urging users to execute the attached 'antidote' file.

The message, which includes a footnote telling the user to ignore antivirus software warnings that the attachment is infected, reads: "Note: Because this tool acts as a fake Klez to fool the real worm, some AV monitors maybe cry when you run it. If so, ignore the warning, and select 'continue'."

SOLUTION:
1) It's best during this high risk period to avoid opening or previewing any suspicious email until you have scanned it with the latest updated version of your antivirus software.

2) If you are using Microsoft Windows (any version), you can update it to prevent your system from infection: download and run the patch from Microsoft at the below link, to eliminate the vulnerability of Klez worm to executes itself when you open or preview
the message in Microsoft Outlook or Outlook Express:
http://www.microsoft.com/technet/security/bulletin/ms01-027.asp

3) Update your virus definition file available from anti-virus vendors to detect and remove this virus. Here are some of the popular vendor's site:

McAfee
Norman (user name and password required)
Symantec
Trend Micro

Here are some useful links where you can obtain more information:

If you do not have the latest update of antivirus software, you may try this free online scanning service from TrendMicro.
Disinfection of Klez.H worm can be performed with the special tool that is available here ftp://ftp.europe.f-secure.com/anti-virus/tools/kleztool.zip
Please read the KLEZTOOL.TXT file included in the ZIP archive before using the tool.
Detail info about the Klez family of worm including free cleanup tools www.f-secure.com/v-descs/klez.shtml
http://www.hongkongcert.org/valert/vinfo/w32.klez.h@mm.html

Other useful virus information on this site:

Some useful links to obtain free virus datafile update and free online scanning service are listed on the left column of this page.

The above information were derived from the following sites:
www.sophos.com
www.eweek.com
www.vnunet.com

Lastly, if you find the above useful, please let your friends know about this site: freetoo.cjb.net
and sign my guestbook.

HOME	JOKES	VIRUS INFO

If you have any questions, please feel free to email me at webmasterfreetoo.cjb.net

Last update:21st Apr 02

Virus Update 5