Fun With Klez and Elkern!

Discussion in 'malware problems & news' started by JimIT, May 22, 2003.

Thread Status:
Not open for further replies.
  1. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    Background:

    11 am. User brings HP Celeron 700 with 128mg RAM, 40 gig HD and Windows ME. Complains about computer being slow and unresponsive.

    Flip it on. It is very slow and unresponsive. HD is working OT, as well. Annoying MS "Wild Creatures" desktop theme is deactivated as first order of business.

    Quick perusal of c drive and Add/Remove Programs shows Gain folder, and McAfee remnants from an incomplete uninstall. That's enough for me. Copy contents of fresh F-Prot for DOS to folder in root directory. Reboot with w98 boot disk and run F-Prot from command line. Scan takes 1 hour and 10 minutes and finds 52 infected files, four or five of which are Elkern, and the rest Klez. F-Prot deletes or disinfects all but three.

    12:40--Reboot using Avast! BART cd. BART finds original 52, plus an "unknown" script virus in an html page. Doh! Have not disabled the "file recovery" feature in ME. Make this change and reboot. Run Norton's "fixklez" tool. Clean scan. Run F-Prot for DOS. Clean scan.

    2 pm--Throw machine on network and check for Windows/IE updates. Needs 'em all. Patch everything and download Avast! 4 Home. Reboot. Avast! finds nothing suspicious running in memory. Hit internet and d/l Spybot. Finds 270 pieces of crud, including lop, gator, etc. Delete 'em all. Also dump contents of IE temp files and entire cookie folder. Enable all the "immunize" features of Spybot and reboot.

    4:15 pm--Machine is running like a dream. Re-scan w/Avast!. Clean scan. User is elated. World is safe again. ;)
     
  2. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi JimIT,

    well, great job! But I have a question: Wouldn't it be faster reinstalling Windows ME? It took you 5h of work!! O.K., the customer has to pay that... ;) LOL (Just kidding!)

    Best regards,

    Patrice
     
  3. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    :D

    But then it wouldn't be as fun!
    :D :D
     
  4. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    :D :D :D

    Got your point!!

    LOL :D LOL :D LOL :D
     
  5. controler

    controler Guest

    I agree, somebody must have been bored :D
     
  6. <SIGH> It's people like me who gotta watch out for people like you! ;)

    Did the customer use McAfee? Did he update the def's? Does he know how? LOL... Or are you saying McAfee was ineffective? :p
     
  7. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    Yeah, we're the weird ones. ;)
    1. Yes.
    2. No. No def updates after (at minimum) mid 2001. The version of Klez he contracted probably blew up McAfee, which resulted in the fragments I found.
    3. A better question would probably be "Did he care?" ;)
    4. Impossible to tell without updated defs, isn't it? :D Like having no AV at all! :doubt:
     
  8. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi Straight Shooter,

    Not all people are that BAD like JimIT! ;) LOL :D :D

    Greetz!

    Patrice
     
Thread Status:
Not open for further replies.