Klez worm on the loose again
08:50 Thursday 18th April 2002
Robert Lemos, CNET News.com *


[b]An altered version of the worm is able to slip past virus scanners and has infected computers in many countries. It emails itself to other victims and can spread via a LAN
A new variant of the Klez worm managed to squirm into computers in some parts of Asia on Tuesday and appeared to be spreading in the United States and the UK as of Wednesday. <-QUOTE}

Alternately known as Klez.g, Klez.h and Klez.k, depending on the security advisory that's referring to it, the worm has its own email engine to mass mail itself to potential victims, and it also attempts to deactivate some antivirus products. The worm can also spread to shared drives connected to PCs via local area networks or LANs.



While the email message in which the worm gift-wraps itself is relatively standard, its ability to elude most antivirus products has enabled it to spread fairly widely, said Alex Shipp, an antivirus technologist for UK-based email service provider MessageLabs.

"The author has changed enough of the bits to get past most virus programs," Shipp said.

While MessageLabs rates the virus as a low threat, Shipp said the rating is updated periodically, and he expects it to reach a high rating when it does update. The company first detected the malicious attachment late Monday and has seen the spread of the worm gradually increase.

Different variants of the Klez worm have generally been among the Top 3 antivirus threats since the first version of the worm was released in January. The Klez.e variant, which appeared last February, was particularly voracious, quickly becoming one of the fastest-spreading worms on the Internet.

Security-software maker Symantec upgraded the latest variant, which it labeled W32.Klez.H, to a threat level of three from a previous rating of two. The company categorises threats on a scale of one, the lowest threat, to five.

A worm of many subjects
The worm arrives in an email message with one of 120 possible subject lines. There are 18 different standard subject headings, including "let's be friends", "meeting notice", "some questions", and "honey". On top of those, seven other patterns exist, such as "a x game" and "a x patch", where x can be one of 16 different words, including "new", "WinXP", and the name of any of six major antivirus companies.

In many circumstances, the worm doesn't need the victim to open it in order to run. Instead, it takes advantage of a 12-month-old vulnerability in Microsoft Outlook, known as the Automatic Execution of Embedded MIME Type bug, to open itself automatically on unpatched versions of Outlook.

The malicious program will find any network storage available on the infected PC and copy itself to the remote disk drives using a random file name and a .EXE, .PIF, .COM, .BAT, .SCR or .RAR extension. Occasionally, the file name will include a double extension.

The program will also cull email addresses by searching a host of different file types on the infected PC. Using its own mail program, the worm will send itself off to those email addresses. In addition, it will use the addresses to create a fake "From:" field in the email message, disguising the actual source of the email.

Finally, the worm attempts to disable antivirus software by deleting registry keys, stopping running processes and removing virus-definition files.

Clues in the code
The worm also sports a message in its code from the author, who brags that it only took three weeks to create the malicious program.

The author claims the virus originated in Asia and may have bugs because of how fast he created it.

MessageLabs' own data points to China as the source of the first emails containing the worm.

By 1900 GMT on Wednesday, major antivirus vendors had updated their virus definitions to recognise the newest Klez variant. However, in most cases, users will have to initiate an update to download the newest definitions and be protected.

-------

source: news.zdnet.co.uk

side note: as far as my info goes, new variants indeed have shown up in the meanwhile. Update your AV as much as possible.

regards.

paul

See also these threads:

http://www.security-pro.co.uk/yabb/YaBB.pl?board=virusesworms;action=display;num=1019058303

http://www.security-pro.co.uk/yabb/YaBB.pl?board=virusesworms;action=display;num=1019058883

Isn't it just wonderful. I wish the punks would just go back to smashing mail boxes. *>:(
I'm about ready to turn BLAZE loose with his bazooka.

you can bet the author of that virus is paid $$big$$, even by local standards. top party officials of China Central Committee, PRC. need to have a reason to exist. she will die with her boots on. well, just speculation of course :)

I got a bunch of those e-mails today. They only included a subject line.
One did have the honey subject line.
I thought it was a wise guiy sending me spam.
I thn got an e-mail from *what appears to be a WAREZ dude warning me of the Klez.E and offering a cleaning tool.
I have Norton antivirus 2002 with the latest BETA definitions. First I updated this morn and scanned and found nothing, I then went to Symantec's site and see they offer BETA def's for emergency situations.
I am guessing I am infected with a varient that Norton isn't catching yet?

If you didn't apply the 'fix' (which was the malware in diguise) you didn't get infected with anything.

Did you, or did you not, accept (open) the attachment, either in the one you thought was spam, or the follow up email from the 'waez' guy? Pete

I was using my hotmail acount and clicked on the mail *only to see NO body only the subject
Like I said. I got the e-mails with subjects only , then got the Offer from
Jscomp0550@aol.com

for the cleaning tool.
You tell me.
Norton is NOT finding anything yet after receiving these e-mails.
I have run TDS and worm gaurd but just reformated and might have to again:)
There is two possabilities here.
1. I am infected with the newest vaient
2. Am the victom of a prankster whom probly got my e-mail from one of these sites.

If you did not click on any attachments, you're not using OE or O with the Preview Pane enabled and your browser is up-to-date patch-wise, you're not infected. Pete

Spy1

I forwarded you the e-mails so you can be da judge ok?

Over?

NP. Got them already and NOD32 went off like a firecracker before I could even open the OE screen. (So far I've received six, total - got a sound and a pop-up alert on each).

All the attachments are infected with klez.

Anything else? Pete

Dang it has to be a new varient then that symantech isn't catching:(
I better redownload TDS or something ;)

I knew something was fishy

Thanks

They were all identified as Win32/Klez.J worm, if that helps.

Are you sure your AV program is totally updated? Are you using Live Update? Intelligent Updater or what?

Virus write-up here: http://www.nod32.com.au/nod32/msgs/klezj.htm *Pete

Im am using
1. Norton AV 2002
2. I downloaded the removal tool and that found nothing
3. I not only am using the latest released def's BUT am also using the Symantec Beta def's which are for emergencies.
4. I beta test for Symantec and have for about 6 years. :)
You should do some investigating since you are finding it. I don't see the J version listed on Symantec's site yet.
Will TDS find it?
From what I remember NOD32 is not a trialwear.
I will run over to Trendmicro.com and do a quick scan also
Better yet with all your connections here, Ask somebody else to scan it with their upgraded version of Norton. And make sure their other scanning software is turned off !!!!

Over?

I will make a quick run over to Trendmicro.com
and do an online scan and let ya know.
I am guessing Hotmail is not suceptable unless forwarding.
Over?

controler -

(a) NOD32 is trialware.

(b) TDS won't have a chance to find it since I've already deleted them (sorry, didn't know you wanted me to keep them and play with them! <g> )

(c) I must be missing something here - one more time. If you didn't click on the attachments, you're not infected, so what exactly are you scanning for?

Can't you simply right-click on the attachment and have Norton scan it? Or doesn't it identify it, then, either?

If you have an IM program, now's the time to use it.
Pete

Interesting, version J already, i was still looking for H whic was released a few days ago.
I understand from Spy1 you have infected emails Controler. I'd suggest you zip such an email including all and send it via the TDS support site to their lab if you like to be sure.
I always do with the first new finds.

Did you have the Norton email scan up, btw? As many scanners don't scan deep in emails, as long they are in the email program, because the email folders are in fact one large file for them. The moment you save them in another location the can be scanned and threated, as far as i understood the explanation long ago.

WormGuard should recognise the pattern and block the thing from running, TDS can help you with the detection/removal.

How the other person went to send you the infected email i don't know exactly. Maybe to give you some test materials, but it does not sound very reliable, does it?

You might like to read this article:
http://online.securityfocus.com/infocus/1562
Telling a lot about the value of scanning and the question if anti-virus/trojan developers would hire virus creators to keep their business running. Of course not, but your case looks like it.
Fingers crossed very much TDS / WormGuard and/or other scanners keep your system in bright clean condition. (You know by now i love TDS so very much)
So please do send their lab that zipped thing you have and they can tell you if they have a cure for it immediately.
Thanks in name of the whole internet society!

ok here is the deal
if they come in on hotmail they don't show up as attachments.
Please remember I have beta tested for symantec for 6 years. That means I do have e-mail scanning enable and bloodhound on high.
What I did was forwarded the e-mail from hotmail to my home e-mail. (real) just to play.
Since I just reformated I don't have all the latest updates to office 2000, which I understand cover this worm.
My Norton does not catch BUT the splash from outlook express comes up saying the usual, " do you want to open or save to dick? I chose to save to disk, So far I have got two more e-mails from all over. One attachment is named po.scr and the other is named mix
and shows as a shortcut, RIGHT clicking with Norton does NOT show anything and going to trendmicro does not show anything. This is telling me I am not infected but could be if I were to actualy open the attachments.
I still have all the e-mails if anybody is interested.
I tried to send to Symantec and Trend but they do not have direct links UNLESS you have the file. I could not forward the e-mail to them. Once I get all the mutated files I will try sending them .
WILL TDS ALLOW FORWARDED MAIL?
Over?

This is a good one I am getting calls from all my friends saying they are getting mail from all over da world.
They have Norton also.
I better get the fix soon.

one more reason I may have been sent this worm is because of my ties with Michael Paris?
I think he would like a sample too :)
the Knights Templer rides again !!!!!!!!!!
So where is the Arc of the Covenent ??? *Huh?

UDATE: *NOD32 is not catching this varient
just tried it with the latest updates.
Going to try TDS now

After scanning with NOD32 and Norton no worm is found
However after sending in the sample of the worm to Symantec, READ the below results
I am using a Windows ME machine My friends have updated their virus def's also and find nothing. WASUUP?

message is an automatically generated reply. *This system is
designed
to analyze and process virus submissions into the Symantec AntiVirus
Research Center (SARC) and cannot accept correspondence or inquiries.
Please contact your Technical Support representative if more detailed
information about your submission is required. *Do not reply to this
message.

Below is a status update on your virus submission:

Date: Sun Apr 21 13:10:40 PDT 2002
Controler
Dear Controler
We have analyzed your submission. *The following is a report of our
findings for each file you have submitted:

filename: C:\WINDOWS\Desktop\New Folder (2)\Size.pif
machine: CONTROLER
result: This file is infected with W32.Klez.gen@mm

The current certified definitions are capable of detecting this virus:
see the specific infected files for required action. *Please update
your
definitions by clicking the "LiveUpdate" button in your NAV program.

Developer notes:
C:\WINDOWS\Desktop\New Folder (2)\Size.pif is infected by a
non-repairable virus or a Trojan Horse. *You should delete this file and replace
it if neccessary.


Your submission tracking number is in the subject of this message.

If you have any questions about your submission,
please include your submission tracking number in the inquiry.
Symantec provides free online support at:
http://www.symantec.com/techsupp/

Follow the prompts to access the online Knowledge Bases and
online Discussion Groups.

Virus information and definitions are available at:
http://securityresponse.symantec.com/

Hi i see a question kept unanswered:
yes, you can either zip the whole email with attachment and send it, via web site or browser or email to support@diamondcs.com.au for TDS.
They can handle it for you.
In the other thread Gavin explained some of the detection, so if it does not show up it does not say it is not detected yet. Maybe the catcher is ready to jump on it the right moment, i really don't know those parts.
Anyway, there are lots of recommendations for cleaning/fixing, at KAV/AVP, TrendMicron, Symantec, F-Secure, you name them.....
Did you beta test the files and fixes on infections or the scanner software itself?

Thougth I would share a link with you all since we are following your thread. Thanks for being here. :)


MyRealBox catches Klez


http://www.dslreports.com/forum/remark,3103878~root=security,1~mode=flat

www.dslreports.com/forum/remark,3095445~root=security,1~mode=flat

And thanks for all your hard work controler. 8)

edit: added url tags - forum admin

here I will try to explain why a person can scan their system and NOT find anything wrong but after submitting a file to Symantec, you get a responce back
telling you your file was infected.

There are actualy three virus definition updates.
There used to be two. You had your regular home user Liveupdate, which are posted once a week(wed.)
Then you had your more advanced update which you got from Symanyec's FTP site and were BETA.
Now you have the same liveupdate, you have the intelligent update, which are manual updates and even though these are mentioned as STILL BETA, Symantec
is saying they are MORE tested LOL
Then last is the BETA virus definitions which are NOT tested at all and are labled as for emergencies and of course, NOT recommended for the normal home user ;)
The BETA definitions are also posted once a day.
There you have it.
I hope I have helped explain things and not confused the situation even more.

controler - The only thing I still don't understand is why Norton AV 2002 never alerted you to the worm when you first received it in your email.

Did I miss that part? Has a further update of Norton rectified that particular gaping hole? Pete

The virus Difenitions I had were the liveupdate and not the Beta one which caught the latest srtrain. I also sent another file to them today for review.
I am now working with a company after using their virus sniffing software. They would give me a full working version so I was forced to use their trial. And you know How I hate trialware LOL
Their software is dated Oct and so the definitions are old too. after a full scan the program said my MSTEE.SYS was infected. Umm NOD32, Norton 2002 say gee I don't see that.
So I wrote back telling them I was happy to not have the full version or I would no be shot a needed system file, since their software auto deletes it, which is never good. Their engineers wrote back saying I need to send a sample LOL and that it is prolly a case hwere another antivirus program tried to fix it in the past and corrupted it.
Of course I had to write back telling them I NEVER have my software to AOTO fix or delete!! I always ask just so I don't run into the problem of false possatives taking my files and deleting them.
I will let you know their results later

Over?

controler,

Is that actually you, the old, "one and only" controler from way back? If so: welcome back!

I'm interested; please keep us updated.

As for the file in question; interested in that one as well. Would you mind zipping it and send me a copy? If so: addy is webmaster@wilders.org

regards.

paul