klez - Anyone seen this?

Discussion in 'malware problems & news' started by Eagle1, Jun 6, 2002.

Thread Status:
Not open for further replies.
  1. Eagle1

    Eagle1 Security Expert

    Joined:
    Feb 10, 2002
    Posts:
    206
    Location:
    Rio Rancho NM - Nevis, West Indies
    I just received this a few minutes ago. Anyone seen it before?
    How many people are going to get fooled by this and turn off their AV while they run this thing. Geez.



    Return-Path: <info@accl-smallships.com>
    Delivered-To: webmaster@net-integration.net
    Received: from oe-iw1.bizmailsrvcs.net (oe-iw1pub.managedmail.com <206.46.164.32>)
    by thebe (Postfix) with ESMTP id 6F62B2DC91
    for <webmaster@net-integration.net>; Thu, 6 Jun 2002 105:35 -0400 (EDT)
    Received: from Odbsc (<68.0.121.232>) by oe-iw1.bizmailsrvcs.net
    (InterMail vM.5.01.03.15 201-253-122-118-115-2001110:cool: with SMTP
    id <20020606140531.CIFE24721.oe-iw1.bizmailsrvcs.net@Odbsc>
    for <webmaster@net-integration.net>;
    Thu, 6 Jun 2002 095:31 -0500
    From: leave-moneydaze <leave-moneydaze@members.dazenetwork.com>
    To: webmaster@net-integration.net
    Subject: Worm Klez.E immunity
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    boundary=ZKZ61BgON3i6iXPo2mhW
    Message-Id: <20020606140531.CIFE24721.oe-iw1.bizmailsrvcs.net@Odbsc>
    Date: Thu, 6 Jun 2002 095:35 -0500

    --ZKZ61BgON3i6iXPo2mhW
    Content-Type: text/html;
    Content-Transfer-Encoding: quoted-printable


    Klez.E is the most common world-wide spreading worm.It's very dangerous by corrupting your files.

    Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it.

    We developed this free immunity tool to defeat the malicious virus.

    You only need to run this tool once,and then Klez will never come into your PC.

    NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV monitor maybe cry when you run it.

    If so,Ignore the warning,and select 'continue'.

    If you have any question,please <a href=3Dmailto:leave-moneydaze@members.dazenetwork.com>mail to me

    --ZKZ61BgON3i6iXPo2mhW
    Content-Type: application/octet-stream;
    name=webnudfg<1>.exe
    Content-Transfer-Encoding: base64
    Content-ID: <L051203H949>

    Folks, NEVER turn off the Anti-virus program for anything!!!!
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    This is the kind of tool i mean in the other "klez" thread, which is offered as removal tool for members and internet visitors world wide via a large ISP.
    Not reacting on my warnings about received spam from their members, etc. see the rest of the story yourself.
    http://www.security-pro.co.uk/yabb/YaBB.pl?board=virusesworms;action=display;num=1021083948;start=6

    Looking at the various "whois" elements here and the IP not fitting with those.... yes several will think it's the real protection.........

    Edit: new thread address:
    http://www.wilderssecurity.com/showthread.php?t=1643
     
  3. controler

    controler Guest

    Hi Eagle 1

    Yes that is an old Klez false warrning.

    I have a question for you. Are you the same Eagle 1
    that used to frequent our old chat room Over 40?
    Now I think it is owned by worldnetwork.org
    And their new Java rooms really suck ;)

    [glow=red,2,300]controler[/glow]
     
  4. Eagle1

    Eagle1 Security Expert

    Joined:
    Feb 10, 2002
    Posts:
    206
    Location:
    Rio Rancho NM - Nevis, West Indies
    Hey controler,

    Nope, that wasn't me. I haven't been to a chat room since I left AOL back in 1995. I'm a newsgroup - webboard person. I'm not much into the chat rooms or instant messaging.

    This is the first time I've seen this message. I've received about 20 klez emails in the last week or so. But this was new to me. I've been so busy this past 2-3 weeks I haven't kept up on the transport methods like I should have.

    BTW, you sure have been busy around here. Your profile says you joined the board 2 days ago (June 4, 2002) and you have over 500 posts. Whoa dude, thats keeping busy.
     
  5. controler

    controler Guest

    Eagle 1  LOL

    Yup I joined a few days ago but have been around for a few years. I was slow to register huh?
    I had a friend calling me Foggy lately, after Foghorn Leghorn and was happy to see thery had that icon here.
     
  6. Eagle1

    Eagle1 Security Expert

    Joined:
    Feb 10, 2002
    Posts:
    206
    Location:
    Rio Rancho NM - Nevis, West Indies
    :D :D ROFL


    This email was a wake up call for me. No matter how busy I need to spend an hour or 2 a day keeping current on security threats. Not only for me but for my clients sake as well. Very embarrassing. I was never in danger of infection because I'm always current on app updates but I should have stayed on top of how they spread. Well that's changed now.  ;)
     
  7. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    I have received 4 instances of Klez-H in my email today alone. Each has been from random sources, no way to backtrack to anyone that I know. I do believe this is the most prolific piece of crap I've ever come across.
    For those of you that do not use a safe email client, please make sure your preview is disabled. It is my understanding that this will execute simply by viewing in Outlook and OE.
    I use Poco and it is safe from this thing unless I click the attachment. M@ildefense has been on the job bigtime and I am really happy with it.
    Please, everybody, this thing comes at you from every dirrection with all kinds of subjects and att. files. It has a very nasty payload, so practice safe hex to the max.
     
  8. Warlock

    Warlock Registered Member

    Joined:
    Jun 8, 2002
    Posts:
    7
    Location:
    Halifax, Nova Scotia, Canada
    Hello All!!
    I was getting at least 6 Klez e-mails per day. This virus sends 2 attachments usually. I opened my Outlook Express and read the uninfected attachment. I got lucky! The attachment was a page from the persons Hotmail Inbox! It had their e-mail addy right on the page. I e-mailed him a fix for the virus and now I am down to 1 or 2 Klez e-mails per day. If I could only find the other person!!
    Warlock
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Warlock,
    sounds that you've been very lucky.
    One of the first Klez attachments i received was really nasty: somebody sent me a screenshot of his attachments which were the infection plus an HTML page URL displayed, which page tried to d/l immediately an update for the infection. Hard to see if the display is www.name.com one expects it is an URL, but can be a file.com executable as well. And attachments/extensions on a screenshot are not changed. Fortunately could stop it's download.
    Another time i was reading my inbox via webmail, which has not the email scanner like the email i d/l to my email client, saw a large email and wanted to look what it was and >boinkkkkk< the thing tried to get me to such a d/l as well which was fortunately stopped by other protection. But of course in both cases i was shocked.
    Depending on the files sometimes look via the source if there is something recognizable to warn a sender.
    In my other message above in this thread you see other experiences. I'll update that one.
     
  10. Eagle1

    Eagle1 Security Expert

    Joined:
    Feb 10, 2002
    Posts:
    206
    Location:
    Rio Rancho NM - Nevis, West Indies
    There is another one that now has 'Comparison purposes model' in the subject line and appears to be coming from PepiMK the developer of SpyBotSD. I just received it this morning and it almost got me. Actually it partially did. I was running an AV scan this morning while reading my mail offline.

    Because SBSD is getting ready to release a final I thought pepiMK was sending me something to review. When I went to open the attachment I realized instantly what it was and stopped it opening. It still was able to load 2 files which I quickly killed. I can be such an ass sometimes. I've since run 4 scans with separate apps and I'm OK now.

    Watch out. Don't get fooled by this one either. Man this is a sneaky son of a gun.
     
  11. Eagle1

    Eagle1 Security Expert

    Joined:
    Feb 10, 2002
    Posts:
    206
    Location:
    Rio Rancho NM - Nevis, West Indies
    I'm not so sure I got off scott free on this afterall. When I was reading the mail as I stated above I came to the infected email which had apparently been scanned by NAV during the email download. It detected and immediately quarantined the klez virus which I was unaware of.

    I noted a text and a html file attachment. I went to open the text attachment and as I was doing so noticed that it said Norton report, blah, blah at the same time. As soon as I clicked it a dos screen open and closed. This all sort of happened in a split second. You know the instant recognition something isn't right but also hey this a virus report, and then, oh crap, as the dos window opened and closed.

    I immediately killed everything shutting down with my emergency kill button. (Yup I have one because of a past bad experience...it's red too. :) )

    I rebooted into safe mode and immediately began a new scan of my system. I also noted and confirmed the klez virus from that message had been quarantined. I did a thorough scan with NAV, then I did so again with NOD32, KAP, and Command. All showed no signs of the virus.

    I know this sounds stupid but can I really be sure I'm not infected. The text file I opened was the Norton quarantine report allegedly. But what concerns me is the dos window I saw open briefly and then close and no report opened.

    Any thoughts or comments from the experts here :) Thanks
     
  12. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I don't run NAV to be able to tell you about this DOS screen popping up. I think you might feel extra save if you grab at www.avp.ru the clrav.com which is the Kaspersky detection and cleaning tool for Klez (and/or get the one from www.bitdefender.org, antiklez.exe)
    Use them first in windows, after in windows safe mode and another time after another reboot from MSDOS.
    (this is why i saved them in the root to access them easy from anywhere.
    Hmm you run NOD32, which would definitely grab the viruses Klez drops, and does Command not run from DOS?
    Klez has the nice habit to try to disable the local security, so you might like another online scan.
    If you have to delete anything, does your Windows version have a restore function? In that case disable restore before the reboot and after enable it again, for if not also the possible infections would be put nicely back against your will.
    I do hope you ended up clean!
    I wonder in several cases if the second file that comes with the infection is as innocent as we think, as often these are HTM files and in that can be embedded a lot of nasty stuff which might not always be immediately discovered.
    Hope we find better protection for this real nasty in filtering possibilities etc.
    Please keep us updated is you managed to keep really clean!
     
  13. controler

    controler Guest

    it doesn't matter if you have Norton or not. If the file extention is TXT, then what ever app you have selected windows to use to open that file, will...
    Right click on the file, Click Open With Chose Notepad and make sure the open alway with this app is not checked or Windows will always try use notepad to open any text file, but then that ain't all bad anyways. There are many Klez cleaning tools. One listed at Wildersw.Org Even...

    [glow=red,2,300]controler[/glow]
     
  14. Eagle1

    Eagle1 Security Expert

    Joined:
    Feb 10, 2002
    Posts:
    206
    Location:
    Rio Rancho NM - Nevis, West Indies
    Well I have no idea what the DOS window was all about. But I used detection and cleaning tools from several places including the 2 you mentioned Jooske and I'm clean.

    Normally I would have accepted I was fine after the 4 scans and using the first klez tool and not checked here or with the 4 AT vendors. But that DOS window bothered me. Nobody I spoke with so far can answer that one. It's one of those mysteries that might never be solved. It appears whatever was trying to load couldn't because it had been quarantined. Everything has been sent off to each of the vendors because they all wanted to see it.

    How to open the text file was never the issue. It was what happened at the same time I was trying to do so....the dos window. But I do appreciate the tip controler. Thanks

    Bottom line is that my system was not infected because of having the proper updated tools, the proper filtering and a plan of action in place for responding to potential infection. They protected this dummy who knows better who should have been paying much closer attention to what he was doing.

    This proves the importance of staying up to date and having proper tools in place. This could have been a disaster.

    Thanks to all who provided feedback and suggestions. It is much appreciated.
     
  15. controler

    controler Guest

    Did you look at the names of the files in the quarintine bin?
    You sure can look at anything there without fear. You have to send them from there anyway. What I don't like about the quarintine bin
    is after the file is sent, it is gone.
    Was it really a TEXT file you clicked on when you got the DOS window or was it one of the Cleaning programs you used?
    It is commoin for those type programs to open DOS windows.
    Guess we had ta be there huh?

    [glow=red,2,300]controler[/glow]
     
  16. Eagle1

    Eagle1 Security Expert

    Joined:
    Feb 10, 2002
    Posts:
    206
    Location:
    Rio Rancho NM - Nevis, West Indies
    There is no question it was a text file that was generated by Norton. That is why it freaked me out so much. But these mails come with an htm file too. That may have something to do with it. Who knows.

    It may have also been that while each of these AV apps can detect and quarantine they all have separate tools for full detection and cleaning. I think it simply quarantined a part of the executable but left part of the .bat file behind which is what attempted to load. Educated guess based on a review of the entire file. A couple of the vendors thought that made sense too. But until I hear back (if I do) I won't know. But they were definitely curious too.

    I have viewed the files and still have copies of everything including archived on disc.

    It could not have been a cleaning tool because I didn't have any loaded at that time. Remember, this was when it initially happened and I was reading mail, not looking for the virus.

    let me also note. I contacted the "alleged sender" in the header and he responded by indicating it was not him that was infected. He has checked numerous times because I'm not the first to contact him. It verifiably came from someone he knows. Just goes to show how sneaky this bugger is.
     
Loading...
Thread Status:
Not open for further replies.