Klez.E

Discussion in 'WormGuard' started by controler, Apr 21, 2002.

Thread Status:
Not open for further replies.
  1. controler

    controler Guest

    Klez.E is the most common world-wide spreading worm.It's very dangerous by corrupting your files.
    Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it.
    We developed this free immunity tool to defeat the malicious virus.
    You only need to run this tool once,and then Klez will never come into your PC.
    NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV monitor maybe cry when you run it.
    If so,Ignore the warning,and select 'continue'.
    If you have any question,please mail to me.
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Which tool was it or which web site, as you might have maybe special reasons why you post in the DiamondCS threads?
    I would be VERY careful if you don't know the sources.
    For me, if it is not a tool from the developpers i know, like DiamondCS or one of the others, KAV, AVP, NOD32, Symantec, F-Secure, etc, i would keep my distance, but this is a general security advice i might suppose........
    Are you running TDS or WG? Klez versions are included in the references, so you would not need such immunisations, unless DCS would produce one themself.
     
  3. controler

    controler Guest

    Ok here goes. I gotr e-mail this morn that only contained subject lines. One did contain "Honey"
    I just thought it wa a gay spammer.
    I have the latest virus def's and even went to Norton's site to download their BETA virus Def's ,
    Still I find nothing after scanning my system.
    After those e-mails, I got an e-mail from what appears to be a Warez people. This e-mail warned if of the worm and offered his e-mail address to get a cleaning tool.
    Jscomp0550@aol.com

    Am I infected with a new version not yet detected or do you think I am the target of a wise @$$?
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Did you do online scans at http://housecall.antivirus.com and such places? Might be the new Klez.h variant which was discovered several days ago, or you might be spammed by somebody who is infected himself, many possibilities.
    If you look in the source of the email, does it give any more information?
     
  5. controler

    controler Guest

    Hi

    Did you get my samples?
    This is too wierd!!
    I been clicking on the attachments and everything and don't seem to be able to get infected , At least that is what NOD32, Norton2002, and TDS say, but yet my e-mails are steaming with the dang bug.
    I am scratching my head HARD

    Over?
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Got 5 of them. I wonder: different senders? Hard to see without the full headers of the originals.
    Did you look in the source? There is more than that one line of chatting with friends via msn messenger.
    They all have different file names/extensions.
    Did you get more of them by now, and do you get normal emails as well or are all looking like this now?
    If you've still TDS installed (why would you uninstall it in the first place?) you can also submit them via the console to them. The best way would be copy or move those complete emails to another area where you can zip and forward them to the lab.
    But i saw in another thread you had a Symantec reply already of a positive identification for a Klez variant.
     
  7. controler

    controler Guest

    I see the state computers in Minnesota are infected by a friend of mine :(
    When I look at the source, I do see a few IP addys.
    I do alot of Beta stuff and so I tried TDS but that was it.
    Are you telling me the e-mail I forwarded to you was not infected?
    It appears MSN is removing the original attachment and allowing a download of a file with the same name. NOw that is realy wierd.
    Sp1 was able to get the files.
     
  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    No, all of them are infected with Klez.H says my scanner, so your hotmail account does not strip them off, even though online it had the virus scanner.
    So your friend did "good" work with the infections, bad case.
    Better first do an online scan; did you yourself too?
    And did you ask for the immunisation tool in the meantime? Better send that to the TDS lab too first before using it, if you would intend to.
    After all the cleaning it is possible to re-install the virus scanner; on an infected system it's no use.

    Lot of beta testing eh? Certainly worth a try more on TDS and WG, some functions only work after registering, and there are new rebuilds in the make for beta testing soon.  
     
  9. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Klez.h was first found on Thursday and is spreading quite quickly. It does have similar characteristics to its counterpart Klez.e, and email subject and body in some cases do seem similar, you would guess they were Klez.e

    Klez.h is very dangerous and can infect many critical files as well as attempting to destroy antivirus software. TDS has had detection for Klez.e and Klez.h droppers since each was released, however due to the nature of the virus infecting normal files (and a second, polymorphic virus is dropped) you will need antivirus software for removal if these files were executed. There would also be some work in the case of Klez.h due to the critical files it infects.
     
  10. Dan Perez

    Dan Perez Guest

    I recently had occasion to revive a small network devastated by the Klez.H/Enkern combo and have found the free fixklez.com tool from Symantec to be quite useful. If you think you're infected, boot into safe mode and run the utility. If anything is found, reboot into safe mode and keep running the utility until nothing further is found. Reboot normally, reinstall whatever AV product you use, update the definitions, do a full scan (the fixklez tool cannot scan zip archives). Be prepared to reinstall system files (the infected systems I dealt with were Win2K and reapplying SP2 sufficed for them).

    I hope this is helpful to someone as I ended up wasting valuable time last night trying to do repeated scans using a full AV product while the OS was fully up.
     
  11. controler

    controler Guest

    Windowz ME  disable recovery first.
     
  12. Prince_Serendip

    Prince_Serendip Registered Member

    Joined:
    Apr 8, 2002
    Posts:
    819
    Location:
    Canada
    I got a warning about this worm from my local PC Club. I immediately went to Symantec and updated my Norton AV. I then did a full system scan and got a clean bill of health. I hope you do not mind but I posted a link to Wilder's at our website in case the members need help with this problem.
     
  13. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I've seen firewall and WormGuard in action when i had to access my email via webmail due to some problem with the ISP connection. Klez doesn't show as an attachment remember and on webmail are not all the same alarms as when entering my system via then inbox.... wahooo! had to kill the process of pages trying to open and not sure what they further wanted, disconnected, test with the tools on every way and mode, scan scan and online scans and more scans... nada! so thank you WormGuard!
     
  14. controler

    controler Guest

    My Sweetheart

    Are you saying you got infected by Klez and only wormguard was detecting it?
    It wasn't be that infected you was it?
    I noticed no mail from you :(
     
  15. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    As explained above:
    emails which enter my system are already disarmed by my own email protective tools, warnings and even if i still would insist to run it it first is blocked with the several warnings and protection.
    My ISP doesn't have such protection on their webmail, like most webmail doesn't have.
    As Klez doesn't show an attachment, people easily click on it. Also because in most cases the senders are names from your own addressbook or a newsgroup.
    If i would have been less protected and would have had an older browser and not patched and not would have run a firewall and not been with WormGuard i certainly would have been caught there on line.
    Klez tries to update itself via a forsed download to the pages it sends you to.
    Of course i have taken the same measures as anybody who touched such an email and might have got infected or not with all the cleaning and testing and more scanning. All scans on highest sensitivity so taking many hours each.


    Your emails had not the full headers, so i could not check if there could be some structure of a central sending (relay) point.
    In one newsgroup for instance i noticed all came via the same sender who is not on the members list, but pasted to members names.
    membername <infected@klez.domainname>
    In all cases that klez domain was the same.
    In the full header it showed
    received by me
    via newsgroups system
    via
    via
    send by membername <member@isp.isp>
    send by membername <infected@klez.domainname>
    to me
    subject blablabla
     
  16. TAG97

    TAG97 Registered Member

    Joined:
    Feb 10, 2002
    Posts:
    616
    Location:
    Connecticut USA
    Hmmmmm:
                Seeing that I've been deprived of WormGuard-3 (Windows ME), I think that I should be added to the the list(hint! hint!- Wayne&Gavin) for Beta Testing WormGuard-4. :'( Jooske, put in a good word for me! ;)
                                                                    Regards
                                                                                  Tim
           A would have been proud WormGuard-3 owner :'(
     
  17. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    On some ME systems it runs without any problems at all, worth another try if you dare, on others not, but as soon as the WG 4 is ready for beta testing, i'm sure ME users will be interesting/ed testers (athough there are several already).

    [glow=red,5,300]Wayne ! Gavin![/glow]
    [move][shadow=blue,left,300] this is a hint on request of Tim![/shadow][/move]
     
  18. controler

    controler Guest

    I am seeing the bad guys are trying to make a killing on poor helpless people using the new P2P file sharing software.
    I know I am out forum here but, Can we use to TDS to trace the IP as we download the worm infected file on a P2P client? This would be good :)
     
  19. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Please trial Wormguard, there should be no serious problems, you should just be aware that restoring a backup created by System Restore can cause Wormguard to expire. I personally ran WinMe for some time with no Wormguard problems :)
     
  20. TAG97

    TAG97 Registered Member

    Joined:
    Feb 10, 2002
    Posts:
    616
    Location:
    Connecticut USA
    Well I gave WormGuard a try. My first thought was:" My what a quiet program. It reminds me of BoClean." What I soon found out ( Don't forget Windows ME) that other software started behaving very strange. TDS-3 right click scan disappeared, Dr Web Anti Virus came out with a full screen alert durring a reboot with options that required keyboard use. The only problem was that none of the options worked. o_O I had to uninstall Dr Web in the safe mode to get PC working again.
                             Now you would think I would of uninstalled WormGuard. Nope :D Next Sygate doesn't show up in system tray. I click on an option in Sygate blocks all trafic while service is not loaded o_O I had to uninstalled Sygate in the safe mode to get my PC to run again.
                               These are just two of four incidents before Num Skull :p decided it was WormGuard and Windows ME combination that was causing al the weird stuff :) I uninstalled WormGuard and PC is working fine. I still can't wait for WormGuard 4 :rolleyes:
     
  21. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Sounds really not nice what happened here..... While there are so many with ME running it with not any problems at all..... Very sad. Hope it's soon solved.
    And that you did not lose to much valuable stuff...
    For me.. i'm more then curious for the new version, on my Win98SE the v3 runs fine.
     
  22. Logan5

    Logan5 Registered Member

    Joined:
    Feb 10, 2002
    Posts:
    116
    Location:
    Ohio, USA
    Hello,

    Been running Wormguard on my ME system since last summer. No problems at all or any conflicts with TDS-3, NOD32, ZAP or any other program. Can't wait for version 4 of each to come out :)

    Logan
     
  23. TAG97

    TAG97 Registered Member

    Joined:
    Feb 10, 2002
    Posts:
    616
    Location:
    Connecticut USA
    Well I waited three weeks before I posted again. I read Logan5's response and have just about everything he has on Windows ME. I uninstalled the devious DrWeb that I was playing around with and reinstalled WormGuard on the 12th of May and everything has been running smoothly since. I registered WormGuard a week later. I love the way WormGuard silently sits in the background. I have to test it every now and then to see if I accidently disabled it. So thanks to Logan5 for his post and Jooske for her being a great spokeperson for two very fine products everyone should have on thier PC. (TDS-3 and WormGuard-3)
                                                      Regards
                                                                   Tim :)
     
  24. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Tim i'm really very happy you have it running fine now! Looking forward to the versions 4 of both, even though i'm very happy with the v3 we are running now.
     
Thread Status:
Not open for further replies.