Date: Sun, 21 Apr 2002 18:17:27 -0400 (EDT) From: BCPL.NET SysAdmin To: BCPL.NET News Subject: BCPL.NET NEWS: Klez.H Worm Virus Alert ----------------------- KLEZ.H WORM VIRUS ALERT ----------------------- The Klez Worm has been around in various forms since October 2001 without causing much trouble, but a new variant known as Klez.H (also W32.Klez.H@mm or I-Worm.Klez.H) that appeared on April 17th is spreading very rapidly and is considered dangerous. Klez.H infects Windows PCs. It does not infect Macintosh OS or UNIX computers. How Klez.H Spreads ------------------ KLEZ.H mass-mails itself to email addresses found on the infected PC. If the infected PC is on a network, Klez.H can infect other PCs on the network that have open network shares. Klez.H is seen primarily in the form of an e-mail file attachment. The e-mail carrying the infected file attachment can take many forms, so it is not easy to identify. When a PC becomes infected, Klez.H compiles a list of target e-mail addresses from addresses found in the address book, in saved e-mail, and in other files on the infected computer. It then mails infected file attachments to all those addresses. Often it sends multiple messages to each address. Subject: The "Subject:" line of the infected message is selected at random from a list built into Klez.H. From Address: The address on the "From:" line may be the address of the infected PC's owner, but usually it is an address selected at random from the list compiled by Klez.H. Message Text: The message text may be empty, or it may contain random text. File Attachment: The name of the infected file attachment is chosen at random, but will have one of the following filename extensions: .exe, .scr, .pif, or .bat. There is no characteristic common to all Klez.H infected messages, so you will have no way of knowing whether a suspicious message is a Klez.H carrier. Use common sense: If you receive a message containing a file attachment DO NOT open the attachment unless the sender is known to you *and* you are expecting a file attachment from that person *and* the sender clearly identifies the nature of the file attachment in the text of the message. Sometimes Klez.H sends out e-mail masquerading as a warning about Klez.H with a file attachment masquerading as a free immunity tool. The "immunity tool" actually infects any PC on which it is run. These messages have characteristics similar to the following: Subject: Worm Klez.E Immunity Message Text: Klez.E is the most common world-wide spreading worm. It's very dangerous by corrupting your files. Because of its very smart stealth and anti-anti-virus technic, most common AV software can't detect or clean it. We developed this free immunity tool to defeat the malicious virus. You only need to run this tool once,and then Klez will never come into your PC. NOTE: Because this tool acts as a fake Klez to fool the real worm, some AV monitor maybe cry when you run it. If so,Ignore the warning, and select 'continue'. If you have any question,please mail to me. If you receive e-mail similar to the above, DO NOT open the file attachment. It will not protect your PC from Klez.H, it will infect it with Klez.H. How Klez.H Infects A PC ----------------------- If the recipient of a Klez.H infected message opens the file attachment, his/her PC will be infected. Even if the recipient does not consciously open the attachment, Klez.H is able to exploit a bug in certain versions of Internet Explorer that causes the file attachment to open automatically. Outlook and Outlook Express use Internet Explorer as a "helper program" to open certain types of file attachments. Several versions of Internet Explorer have a bug that makes it possible for a certain type of e-mail file attachment to open automatically even when the "auto open" option is disabled in Outlook or Outlook Express. The Explorer bug was widely publicized and Microsoft provided a patch for the affected versions of Internet Explorer, but a lot of people are still running the buggy unpatched copies of Explorer. The bug is present in Internet Explorer 5.01 (unless Service Pack 2 has been applied) and Internet Explorer 5.5. You'll find the patch on the Microsoft TechNet Web site at: http://www.microsoft.com/technet/security/bulletin/MS01-020.asp Microsoft no longer supports earlier versions of Internet Explorer so will not say whether they are affected, but it is generally assumed that they are. If you have an older version you should upgrade to a newer one. What Klez.H Does To The Infected PC ----------------------------------- If the file attachment is opened on the recipient's PC, the following occur: If anti-virus software exists on the PC, and if that anti-virus software is not up to date enough to have stopped Klez.H before this point, Klez.H attempts to disable it. If the anti-virus software is running, Klez.H halts it. It then removes the startup registry keys used by anti-virus products and deletes checksum database files. This usually prevents the anti-virus software from running, and prevents you from updating its virus description database to a version recent enough to recognize and destroy Klez.H. Klez.H replaces one or more executables (program files) on the recipient PC with copies of itself. Klez.H installs an additional file infecting virus, W95/Elkern.cav.c (also known as W32.Elkern.4926). Klez.H sends infected e-mail as described above. If the newly infected PC is on a network, Klez.H attempts to infect other PCs with open shares on the network. How To Protect Your PC From Klez.H Infection -------------------------------------------- If you have anti-virus software on your PC, *and* if it is configured to scan incoming e-mail for viruses, *and* if its virus description database is up to date enough to know about Klez.H, then it will stop Klez.H before it can infect your PC. However the virus description database must be *very* new. Klez.H was discovered and described by the major anti-virus software vendors on April 17, so a virus definition database older than that will not enable your anti-virus software to detect and stop Klez.H. We recommend that you update your virus definition database at least once a week, although given the rate at which new PC viruses appear once a day would be even better. If you use Microsoft Internet Explorer and Outlook or Outlook Express make sure your copy of Explorer is a version that will not open certain file types automatically, as described above under "How Klez.H Infects A PC". If you have a version of Internet Explorer affected by the "auto-open bug", either apply the patch to fix the bug, or upgrade to a newer version of Explorer. In the final analysis you are your own best defense against virus infection. All it takes is a bit of common sense. If you receive a message containing a file attachment *do not* open the attachment unless the sender is known to you *and* you are expecting a file attachment from that person *and* the sender clearly identifies the nature of the file attachment in the text of the message. For More Information -------------------- See the following URLs for more detailed information about the Klez.H Worm, including removal instructions: http://www.symantec.com/avcenter/venc/data/w32.klez.h@mm.html http://vil.mcafee.com/dispVirus.asp?virus_k=99455 http://www.F-Secure.com/v-descs/klez_h.shtml -- BCPL.NET INTERNET SERVICES 320 York Road Towson, MD 21204-5179 U.S.A. CONTACTS: -------- Web Site: http://www.bcpl.net Administration & Policy: ispadmin@bcpl.net 410-887-6180 Sales, Renewals, Account Status: accounts@bcpl.net 410-887-4172 Technical Support (Help Desk): help@bcpl.net 410-887-3297 Usenet News Newsgroup Requests news-admin@bcpl.net 410-887-6180 E-Mail & Newsgroup Abuse Reports: abuse@bcpl.net 410-887-6180 Domain Name Service Issues: dnsadmin@bcpl.net 410-887-6180 FAX: 410-887-2091