klez worm: take care!

Discussion in 'malware problems & news' started by Paul Wilders, Apr 18, 2002.

Thread Status:
Not open for further replies.
  1. Paul Wilders

    Paul Wilders Administrator

    Jul 1, 2001
    The Netherlands
    Klez worm on the loose again
    08:50 Thursday 18th April 2002
    Robert Lemos, CNET News.com  

    An altered version of the worm is able to slip past virus scanners and has infected computers in many countries. It emails itself to other victims and can spread via a LAN
    A new variant of the Klez worm managed to squirm into computers in some parts of Asia on Tuesday and appeared to be spreading in the United States and the UK as of Wednesday.[/quote]

    Alternately known as Klez.g, Klez.h and Klez.k, depending on the security advisory that's referring to it, the worm has its own email engine to mass mail itself to potential victims, and it also attempts to deactivate some antivirus products. The worm can also spread to shared drives connected to PCs via local area networks or LANs.

    While the email message in which the worm gift-wraps itself is relatively standard, its ability to elude most antivirus products has enabled it to spread fairly widely, said Alex Shipp, an antivirus technologist for UK-based email service provider MessageLabs.

    "The author has changed enough of the bits to get past most virus programs," Shipp said.

    While MessageLabs rates the virus as a low threat, Shipp said the rating is updated periodically, and he expects it to reach a high rating when it does update. The company first detected the malicious attachment late Monday and has seen the spread of the worm gradually increase.

    Different variants of the Klez worm have generally been among the Top 3 antivirus threats since the first version of the worm was released in January. The Klez.e variant, which appeared last February, was particularly voracious, quickly becoming one of the fastest-spreading worms on the Internet.

    Security-software maker Symantec upgraded the latest variant, which it labeled W32.Klez.H, to a threat level of three from a previous rating of two. The company categorises threats on a scale of one, the lowest threat, to five.

    A worm of many subjects
    The worm arrives in an email message with one of 120 possible subject lines. There are 18 different standard subject headings, including "let's be friends", "meeting notice", "some questions", and "honey". On top of those, seven other patterns exist, such as "a x game" and "a x patch", where x can be one of 16 different words, including "new", "WinXP", and the name of any of six major antivirus companies.

    In many circumstances, the worm doesn't need the victim to open it in order to run. Instead, it takes advantage of a 12-month-old vulnerability in Microsoft Outlook, known as the Automatic Execution of Embedded MIME Type bug, to open itself automatically on unpatched versions of Outlook.

    The malicious program will find any network storage available on the infected PC and copy itself to the remote disk drives using a random file name and a .EXE, .PIF, .COM, .BAT, .SCR or .RAR extension. Occasionally, the file name will include a double extension.

    The program will also cull email addresses by searching a host of different file types on the infected PC. Using its own mail program, the worm will send itself off to those email addresses. In addition, it will use the addresses to create a fake "From:" field in the email message, disguising the actual source of the email.

    Finally, the worm attempts to disable antivirus software by deleting registry keys, stopping running processes and removing virus-definition files.

    Clues in the code
    The worm also sports a message in its code from the author, who brags that it only took three weeks to create the malicious program.

    The author claims the virus originated in Asia and may have bugs because of how fast he created it.

    MessageLabs' own data points to China as the source of the first emails containing the worm.

    By 1900 GMT on Wednesday, major antivirus vendors had updated their virus definitions to recognise the newest Klez variant. However, in most cases, users will have to initiate an update to download the newest definitions and be protected.


    source: news.zdnet.co.uk

    side note: as far as my info goes, new variants indeed have shown up in the meanwhile. Update your AV as much as possible.


  2. FanJ

    FanJ Guest

    See also these threads:


  3. root

    root Registered Member

    Feb 19, 2002
    Missouri, USA
    Isn't it just wonderful. I wish the punks would just go back to smashing mail boxes.  :mad:
    I'm about ready to turn BLAZE loose with his bazooka.
  4. thorn

    thorn Registered Member

    Mar 28, 2002
    Mid Hudson Valley US
    you can bet the author of that virus is paid $$big$$, even by local standards. top party officials of China Central Committee, PRC. need to have a reason to exist. she will die with her boots on. well, just speculation of course :)
  5. controler

    controler Guest

    I got a bunch of those e-mails today. They only included a subject line.
    One did have the honey subject line.
    I thought it was a wise guiy sending me spam.
    I thn got an e-mail from  what appears to be a WAREZ dude warning me of the Klez.E and offering a cleaning tool.
    I have Norton antivirus 2002 with the latest BETA definitions. First I updated this morn and scanned and found nothing, I then went to Symantec's site and see they offer BETA def's for emergency situations.
    I am guessing I am infected with a varient that Norton isn't catching yet?
  6. spy1

    spy1 Registered Member

    Dec 29, 2002
    Clover, SC
    If you didn't apply the 'fix' (which was the malware in diguise) you didn't get infected with anything.

    Did you, or did you not, accept (open) the attachment, either in the one you thought was spam, or the follow up email from the 'waez' guy? Pete
  7. controler

    controler Guest

    I was using my hotmail acount and clicked on the mail  only to see NO body only the subject
    Like I said. I got the e-mails with subjects only , then got the Offer from

    for the cleaning tool.
    You tell me.
    Norton is NOT finding anything yet after receiving these e-mails.
    I have run TDS and worm gaurd but just reformated and might have to again:)
    There is two possabilities here.
    1. I am infected with the newest vaient
    2. Am the victom of a prankster whom probly got my e-mail from one of these sites.
  8. spy1

    spy1 Registered Member

    Dec 29, 2002
    Clover, SC
    If you did not click on any attachments, you're not using OE or O with the Preview Pane enabled and your browser is up-to-date patch-wise, you're not infected. Pete
  9. controler

    controler Guest


    I forwarded you the e-mails so you can be da judge ok?

  10. spy1

    spy1 Registered Member

    Dec 29, 2002
    Clover, SC
    NP. Got them already and NOD32 went off like a firecracker before I could even open the OE screen. (So far I've received six, total - got a sound and a pop-up alert on each).

    All the attachments are infected with klez.

    Anything else? Pete
  11. controler

    controler Guest

    Dang it has to be a new varient then that symantech isn't catching:(
    I better redownload TDS or something ;)

    I knew something was fishy

  12. spy1

    spy1 Registered Member

    Dec 29, 2002
    Clover, SC
    They were all identified as Win32/Klez.J worm, if that helps.

    Are you sure your AV program is totally updated? Are you using Live Update? Intelligent Updater or what?

    Virus write-up here: http://www.nod32.com.au/nod32/msgs/klezj.htm  Pete
  13. controler

    controler Guest

    Im am using
    1. Norton AV 2002
    2. I downloaded the removal tool and that found nothing
    3. I not only am using the latest released def's BUT am also using the Symantec Beta def's which are for emergencies.
    4. I beta test for Symantec and have for about 6 years. :)
    You should do some investigating since you are finding it. I don't see the J version listed on Symantec's site yet.
    Will TDS find it?
    From what I remember NOD32 is not a trialwear.
    I will run over to Trendmicro.com and do a quick scan also
    Better yet with all your connections here, Ask somebody else to scan it with their upgraded version of Norton. And make sure their other scanning software is turned off !!!!

  14. controler

    controler Guest

    I will make a quick run over to Trendmicro.com
    and do an online scan and let ya know.
    I am guessing Hotmail is not suceptable unless forwarding.
  15. spy1

    spy1 Registered Member

    Dec 29, 2002
    Clover, SC
    controler -

    (a) NOD32 is trialware.

    (b) TDS won't have a chance to find it since I've already deleted them (sorry, didn't know you wanted me to keep them and play with them! <g> )

    (c) I must be missing something here - one more time. If you didn't click on the attachments, you're not infected, so what exactly are you scanning for?

    Can't you simply right-click on the attachment and have Norton scan it? Or doesn't it identify it, then, either?

    If you have an IM program, now's the time to use it.
  16. Jooske

    Jooske Registered Member

    Feb 12, 2002
    Netherlands, EU near the sea
    Interesting, version J already, i was still looking for H whic was released a few days ago.
    I understand from Spy1 you have infected emails Controler. I'd suggest you zip such an email including all and send it via the TDS support site to their lab if you like to be sure.
    I always do with the first new finds.

    Did you have the Norton email scan up, btw? As many scanners don't scan deep in emails, as long they are in the email program, because the email folders are in fact one large file for them. The moment you save them in another location the can be scanned and threated, as far as i understood the explanation long ago.

    WormGuard should recognise the pattern and block the thing from running, TDS can help you with the detection/removal.

    How the other person went to send you the infected email i don't know exactly. Maybe to give you some test materials, but it does not sound very reliable, does it?

    You might like to read this article:
    Telling a lot about the value of scanning and the question if anti-virus/trojan developers would hire virus creators to keep their business running. Of course not, but your case looks like it.
    Fingers crossed very much TDS / WormGuard and/or other scanners keep your system in bright clean condition. (You know by now i love TDS so very much)
    So please do send their lab that zipped thing you have and they can tell you if they have a cure for it immediately.
    Thanks in name of the whole internet society!
  17. controler

    controler Guest

    ok here is the deal
    if they come in on hotmail they don't show up as attachments.
    Please remember I have beta tested for symantec for 6 years. That means I do have e-mail scanning enable and bloodhound on high.
    What I did was forwarded the e-mail from hotmail to my home e-mail. (real) just to play.
    Since I just reformated I don't have all the latest updates to office 2000, which I understand cover this worm.
    My Norton does not catch BUT the splash from outlook express comes up saying the usual, " do you want to open or save to dick? I chose to save to disk, So far I have got two more e-mails from all over. One attachment is named po.scr and the other is named mix
    and shows as a shortcut, RIGHT clicking with Norton does NOT show anything and going to trendmicro does not show anything. This is telling me I am not infected but could be if I were to actualy open the attachments.
    I still have all the e-mails if anybody is interested.
    I tried to send to Symantec and Trend but they do not have direct links UNLESS you have the file. I could not forward the e-mail to them. Once I get all the mutated files I will try sending them .
  18. controler

    controler Guest

    This is a good one I am getting calls from all my friends saying they are getting mail from all over da world.
    They have Norton also.
    I better get the fix soon.
  19. controler

    controler Guest

    one more reason I may have been sent this worm is because of my ties with Michael Paris?
    I think he would like a sample too :)
    the Knights Templer rides again !!!!!!!!!!
    So where is the Arc of the Covenent o_O  Huh?
  20. controler

    controler Guest

    UDATE:  NOD32 is not catching this varient
    just tried it with the latest updates.
    Going to try TDS now
  21. controler

    controler Guest

    After scanning with NOD32 and Norton no worm is found
    However after sending in the sample of the worm to Symantec, READ the below results
    I am using a Windows ME machine My friends have updated their virus def's also and find nothing. WASUUP?

    message is an automatically generated reply.  This system is
    to analyze and process virus submissions into the Symantec AntiVirus
    Research Center (SARC) and cannot accept correspondence or inquiries.
    Please contact your Technical Support representative if more detailed
    information about your submission is required.  Do not reply to this

    Below is a status update on your virus submission:

    Date: Sun Apr 21 13:10:40 PDT 2002
    Dear Controler
    We have analyzed your submission.  The following is a report of our
    findings for each file you have submitted:

    filename: C:\WINDOWS\Desktop\New Folder (2)\Size.pif
    machine: CONTROLER
    result: This file is infected with W32.Klez.gen@mm

    The current certified definitions are capable of detecting this virus:
    see the specific infected files for required action.  Please update
    definitions by clicking the "LiveUpdate" button in your NAV program.

    Developer notes:
    C:\WINDOWS\Desktop\New Folder (2)\Size.pif is infected by a
    non-repairable virus or a Trojan Horse.  You should delete this file and replace
    it if neccessary.

    Your submission tracking number is in the subject of this message.

    If you have any questions about your submission,
    please include your submission tracking number in the inquiry.
    Symantec provides free online support at:

    Follow the prompts to access the online Knowledge Bases and
    online Discussion Groups.

    Virus information and definitions are available at:
  22. Jooske

    Jooske Registered Member

    Feb 12, 2002
    Netherlands, EU near the sea
    Hi i see a question kept unanswered:
    yes, you can either zip the whole email with attachment and send it, via web site or browser or email to support@diamondcs.com.au for TDS.
    They can handle it for you.
    In the other thread Gavin explained some of the detection, so if it does not show up it does not say it is not detected yet. Maybe the catcher is ready to jump on it the right moment, i really don't know those parts.
    Anyway, there are lots of recommendations for cleaning/fixing, at KAV/AVP, TrendMicron, Symantec, F-Secure, you name them.....
    Did you beta test the files and fixes on infections or the scanner software itself?
  23. Time Out

    Time Out Guest

    Thougth I would share a link with you all since we are following your thread. Thanks for being here. :)

    MyRealBox catches Klez

  24. Time Out

    Time Out Guest

  25. controler

    controler Guest

    here I will try to explain why a person can scan their system and NOT find anything wrong but after submitting a file to Symantec, you get a responce back
    telling you your file was infected.

    There are actualy three virus definition updates.
    There used to be two. You had your regular home user Liveupdate, which are posted once a week(wed.)
    Then you had your more advanced update which you got from Symanyec's FTP site and were BETA.
    Now you have the same liveupdate, you have the intelligent update, which are manual updates and even though these are mentioned as STILL BETA, Symantec
    is saying they are MORE tested LOL
    Then last is the BETA virus definitions which are NOT tested at all and are labled as for emergencies and of course, NOT recommended for the normal home user ;)
    The BETA definitions are also posted once a day.
    There you have it.
    I hope I have helped explain things and not confused the situation even more.
Thread Status:
Not open for further replies.