Variant: Klez.e....(free tool to remove: 2/8/02)

[javacool]

Bulletin couresty of CNet News.com:

Quote:

Klez worm reborn as nastier version


By Robert Lemos
Staff Writer, CNET News.com
February 11, 2002, 12:30 PM PT


A new variant of the destructive Klez worm has had moderate success, prompting one antivirus company this past weekend to release free tools to deal with its spread.
The variant, carried by e-mail and known as Klez.e, overwrites victims' files with random content on the sixth day of odd-numbered months. It can spread automatically on Windows systems that use an unpatched version of Microsoft's Internet Explorer.

"The latest version, Klez.e, (poses) the most serious threat to computer safety," said Moscow-based antivirus company Kaspersky Labs.



Though antivirus companies discovered the Klez.e variant in late January, its tenacity has prompted Kaspersky Labs to release an antivirus tool to remove it.

Based on how many instances of each worm and virus the company has intercepted in the past 24 hours, U.K.-headquartered mail service provider MessageLabs ranks Klez.e fourth on its top 10 list, behind Sircam, BadTrans and Magistr--old worms that continue to plague the Internet. However, the company has intercepted fewer than 400 copies of Klez.e.

In the same 24 hours, BadTrans popped up about 750 times, and Sircam made about 1,600 appearances.

Klez.e arrives in an e-mail message with a subject heading generated from a list of more than 20 keywords or forged to look like the heading on an undelivered message. The body of the message is empty or has random text.

"That's the way it runs automatically, but it still could come onto your system," said Vincent Weafer, senior director of antivirus firm Symantec's security response team. In that instance, a dialog box would appear, asking computer users if they want to run a program called Klez.e. Users should, of course, click no.

Microsoft patched the IE hole last March, so any Windows system that has been recently updated should be immune to the worm's auto-infecting function. Weafer said Klez is in the top 10 but has caused only one-eighth as many reports as BadTrans.

The worm infects Windows archive files with a copy of itself. It also attempts to circumvent antivirus programs and defeat some competing worms by shutting them down if they're found running.

"It tends to attack the user-interface component, but in most cases the real-time scanner is still active," Weafer said. Antivirus software consists of two basic components: the real-time scanner, which catches viruses that attempt to run, and an application with an interface that allows PC users to scan their machine for infections.

Hence, Klez.e "becomes a pain more than a real threat," Weafer said. Symantec has updated virus definitions that are available to protect against the worm.

Microsoft Windows users should run Windows Update to ensure they are protected against the auto-executing features of this worm.

To get the free tool to detect and remove this worm, visit the following address: http://www.kaspersky.com/news.html?t...0140&id=224687

-javacool

I work for a local ISP and I have a customer that has this virus. I have had her use housecall, it found it, cleaned it. AVG, clean, Norton, clean. Our virus sniper keeps sending her an email saying that she still has this virus and is trying to send it out. I had her also use the clrav tool and it didnt find it. I'm running out of ideas here, short of telling her to reformat. *

Anyone else having trouble with this one? Thanks!

BTW, this is a great forum, as I have to say I have become the resident virus expert in our little neck of the woods. Great info!

[Paul Wilders]

Hello Mindy,

Since we are unaware of the (probably still) infected system, O/S installed etc. the main advice is:

After backing up the registry:

1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the following key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

4. In the right pane, look for the following values and delete them if they exist:

Wink[random characters] %System%\Wink[random characters].exe
WQK %System%\Wqk.exe

5. Navigate to and expand the following key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services

6. In the left pane, under the \Services key, look for the following subkey, and delete it, if it exists:

\Wink[random characters]

7. Click Registry, and click Exit.

Be sure your client performs the above strictly. After doing so, *a full and deep scan (all files included) using a good and updated anti-virus is necessary.

Thanks for the compliment!

regards.

paul

Thanks, I will pass this on to her. Most of my customers I would not, but there are a small majority of them that at least know what I am talking about. I will be back often!

Mindy