W32/Klez-G Virus
PPRuNe Secret Agent!
Moderator
Thread Starter
Join Date: Nov 1999
Location: West Sussex, UK
Posts: 1,546
Likes: 0
Received 0 Likes
on
0 Posts
W32/Klez-G Virus
I got this from out IT dept. at work - don't understand most of what he's waffling about but the subject lines are worth noting - I've already had on of these bug*ers in my PPRuNe inbox using the first subject line - "A Nice Game"
W32/Klez-G is a slight modification of Worm/Klez-A and is an Internet worm capable of spreading through the local network under Windows 32-bit systems and infecting EXE Files. In order to be able to remain as a resident virus in the workspace, it infects the file KERNEL32.DLL.
Like other variations, the worm arrives through e-mail in the following format:
Subject Lines include (but not limited too):
- Fw: A nice game
- Re: A WinXP patch
- Re: Good removal tools
- Fw: A humour website
- how are you
- For more information, please visit
Body Text (examples):
- This is a nice game
This is my first work.
Your're the first player.
I would expect you would enjoy it
- Hello,This is a humour game
This game is my first work.
You're the first player.
I expect you would like it.
Attachment (examples):
- kitty.exe
- rock.exe
- play.scr
Worm/Klez.G utilizes its own SMTP engine for replication. In addition to collecting email address from an infected users address book and those contacts listed within instant messenging database, files that are likely to
contain email addresses that have the following extensions will also be searched:
*.asp, *.bat, *.doc, *.exe, *.htm, *.html, *.jpeg, *.mp3, *.pdf, *.rtf,
*.txt, and *.xls
The virus creates an execution thread, which monitors all running
applications, and if there are any applications belonging to a real-time anti-virus program, it closes them and removes the corresponding key from the registry.
The next thing the virus does is creating a file named wqk.exe and
wink**.exe (where "**" are randome characters in the system directory, which includes the Win32.Elkern.A virus, which it kept compressed in its body.
This virus is a file infector that runs on Windows 98 or Windows Me.
It uses an exploit (a security hole) that allows the attachment to be executed when viewing the message with Microsoft Outlook Express or Outlook (without Service Packs installed). This method is similar to the one used by Nimda or Kak worms.
Microsoft has issued a patch which protects users against this
vulnerability. It can be downloaded from
http://www.microsoft.com/technet/sec...n/MS01-020.asp
W32/Klez-G is a slight modification of Worm/Klez-A and is an Internet worm capable of spreading through the local network under Windows 32-bit systems and infecting EXE Files. In order to be able to remain as a resident virus in the workspace, it infects the file KERNEL32.DLL.
Like other variations, the worm arrives through e-mail in the following format:
Subject Lines include (but not limited too):
- Fw: A nice game
- Re: A WinXP patch
- Re: Good removal tools
- Fw: A humour website
- how are you
- For more information, please visit
Body Text (examples):
- This is a nice game
This is my first work.
Your're the first player.
I would expect you would enjoy it
- Hello,This is a humour game
This game is my first work.
You're the first player.
I expect you would like it.
Attachment (examples):
- kitty.exe
- rock.exe
- play.scr
Worm/Klez.G utilizes its own SMTP engine for replication. In addition to collecting email address from an infected users address book and those contacts listed within instant messenging database, files that are likely to
contain email addresses that have the following extensions will also be searched:
*.asp, *.bat, *.doc, *.exe, *.htm, *.html, *.jpeg, *.mp3, *.pdf, *.rtf,
*.txt, and *.xls
The virus creates an execution thread, which monitors all running
applications, and if there are any applications belonging to a real-time anti-virus program, it closes them and removes the corresponding key from the registry.
The next thing the virus does is creating a file named wqk.exe and
wink**.exe (where "**" are randome characters in the system directory, which includes the Win32.Elkern.A virus, which it kept compressed in its body.
This virus is a file infector that runs on Windows 98 or Windows Me.
It uses an exploit (a security hole) that allows the attachment to be executed when viewing the message with Microsoft Outlook Express or Outlook (without Service Packs installed). This method is similar to the one used by Nimda or Kak worms.
Microsoft has issued a patch which protects users against this
vulnerability. It can be downloaded from
http://www.microsoft.com/technet/sec...n/MS01-020.asp
Join Date: Oct 1998
Location: UK
Posts: 468
Likes: 0
Received 0 Likes
on
0 Posts
and watch this thread as well
Join Date: Jan 2001
Location: The Burrow, N53:48:02 W1:48:57, The Tin Tent - EGBS, EGBO
Posts: 2,297
Likes: 0
Received 0 Likes
on
0 Posts
I arrived back in the UK yesterday and proceeded to download my emails all 100+ of them. I was happily deleting those I did not want / recognise , all unopened, when I received a short series of "Mail Undeliverable" messages. I knew I hadn't sent anything so promptly shut down OE having had a quick look at one of these "Undeliverable" messages (in case it was something I had sent before I left the UK) and had my suspicions aroused even further. I had not seen this thread - it hadn't been posted at the time, but managed to locate Symantec's removal tool and use it with success. The fact is that I did not open anything I was unsure of. The only attachments I opened were ones which I had sent myself from another computer which has up to date virus protection in constant use. That computer is still virus free. I have no idea where this virus came from it is SNEAKY to say the least and it ate my McAfee anti-virus! 
Join Date: Dec 1997
Location: Penarth South Wales
Posts: 950
Likes: 0
Received 0 Likes
on
0 Posts
DX Wombat
Do not despair.
One of the features of this latest virus is that it "clones" e-mail addresses, making them appear to come from people who didn't send them. I have had about a dozen "rejected" e-mails, which I didn't send.
The original advice is always good. NEVER open an attachemnt that you are not expecting , even if it comes from someone you know..and ALWAYS keep you virus definition software up to date.
H
Do not despair.
One of the features of this latest virus is that it "clones" e-mail addresses, making them appear to come from people who didn't send them. I have had about a dozen "rejected" e-mails, which I didn't send.
The original advice is always good. NEVER open an attachemnt that you are not expecting , even if it comes from someone you know..and ALWAYS keep you virus definition software up to date.
H
Join Date: Jan 2001
Location: The Burrow, N53:48:02 W1:48:57, The Tin Tent - EGBS, EGBO
Posts: 2,297
Likes: 0
Received 0 Likes
on
0 Posts
Thanks Hamrah, the thing that bothered me was that I had only opened the attachments I had sent myself from a computer which I knew to be clean at the time of sending (and still is). Everything which I was unsure about was being deleted unopened. The virus ate Sophos (not updated), Quarterdeck Cleansweep (also in need of updating) and McAfee (Virus scan and Firewall) which was updated when I last used the computer before heading off for Oz at the beginning of April. I had intended to update the McAfee when I had finished dealing with the email but the virus got there first. Next time I go away I will update the virus protection before looking at my email when I return. I am just glad that I realised what was going on and was able to remember that Symantec usually have free downloads for these things and was able to access it. 
Next time I go away I will update the virus protection before looking at my email when I return. I am just glad that I realised what was going on and was able to remember that Symantec usually have free downloads for these things and was able to access it.
Join Date: Mar 2001
Location: Florida, USA
Posts: 632
Likes: 0
Received 0 Likes
on
0 Posts
I'm using WindowsXP Pro - and (when it came out) the only anti-virus that worked with it is Norton 2002.
I've had many attempted mailings of this virus over the last three days....Norton has caught them all before letting my PC download them from the server.
I've had many attempted mailings of this virus over the last three days....Norton has caught them all before letting my PC download them from the server.
