klez worm: take care!

See also these threads:

http://www.security-pro.co.uk/yabb/YaBB.pl?board=virusesworms;action=display;num=1019058303

http://www.security-pro.co.uk/yabb/YaBB.pl?board=virusesworms;action=display;num=1019058883

 

Isn't it just wonderful. I wish the punks would just go back to smashing mail boxes.  
I'm about ready to turn BLAZE loose with his bazooka.

 

you can bet the author of that virus is paid $$big$$, even by local standards. top party officials of China Central Committee, PRC. need to have a reason to exist. she will die with her boots on. well, just speculation of course

 

I got a bunch of those e-mails today. They only included a subject line.
One did have the honey subject line.
I thought it was a wise guiy sending me spam.
I thn got an e-mail from  what appears to be a WAREZ dude warning me of the Klez.E and offering a cleaning tool.
I have Norton antivirus 2002 with the latest BETA definitions. First I updated this morn and scanned and found nothing, I then went to Symantec's site and see they offer BETA def's for emergency situations.
I am guessing I am infected with a varient that Norton isn't catching yet?

 

If you didn't apply the 'fix' (which was the malware in diguise) you didn't get infected with anything.

Did you, or did you not, accept (open) the attachment, either in the one you thought was spam, or the follow up email from the 'waez' guy? Pete

 

I was using my hotmail acount and clicked on the mail  only to see NO body only the subject
Like I said. I got the e-mails with subjects only , then got the Offer from
Jscomp0550@aol.com

for the cleaning tool.
You tell me.
Norton is NOT finding anything yet after receiving these e-mails.
I have run TDS and worm gaurd but just reformated and might have to again
There is two possabilities here.
1. I am infected with the newest vaient
2. Am the victom of a prankster whom probly got my e-mail from one of these sites.

 

If you did not click on any attachments, you're not using OE or O with the Preview Pane enabled and your browser is up-to-date patch-wise, you're not infected. Pete

 

Spy1

I forwarded you the e-mails so you can be da judge ok?

Over?

 

NP. Got them already and NOD32 went off like a firecracker before I could even open the OE screen. (So far I've received six, total - got a sound and a pop-up alert on each).

All the attachments are infected with klez.

Anything else? Pete

 

Dang it has to be a new varient then that symantech isn't catching
I better redownload TDS or something

I knew something was fishy

Thanks

 

They were all identified as Win32/Klez.J worm, if that helps.

Are you sure your AV program is totally updated? Are you using Live Update? Intelligent Updater or what?

Virus write-up here: http://www.nod32.com.au/nod32/msgs/klezj.htm  Pete

 

Im am using
1. Norton AV 2002
2. I downloaded the removal tool and that found nothing
3. I not only am using the latest released def's BUT am also using the Symantec Beta def's which are for emergencies.
4. I beta test for Symantec and have for about 6 years.
You should do some investigating since you are finding it. I don't see the J version listed on Symantec's site yet.
Will TDS find it?
From what I remember NOD32 is not a trialwear.
I will run over to Trendmicro.com and do a quick scan also
Better yet with all your connections here, Ask somebody else to scan it with their upgraded version of Norton. And make sure their other scanning software is turned off !!!!

Over?

 

I will make a quick run over to Trendmicro.com
and do an online scan and let ya know.
I am guessing Hotmail is not suceptable unless forwarding.
Over?

 

controler -

(a) NOD32 is trialware.

(b) TDS won't have a chance to find it since I've already deleted them (sorry, didn't know you wanted me to keep them and play with them! <g> )

(c) I must be missing something here - one more time. If you didn't click on the attachments, you're not infected, so what exactly are you scanning for?

Can't you simply right-click on the attachment and have Norton scan it? Or doesn't it identify it, then, either?

If you have an IM program, now's the time to use it.
Pete

 

Interesting, version J already, i was still looking for H whic was released a few days ago.
I understand from Spy1 you have infected emails Controler. I'd suggest you zip such an email including all and send it via the TDS support site to their lab if you like to be sure.
I always do with the first new finds.

Did you have the Norton email scan up, btw? As many scanners don't scan deep in emails, as long they are in the email program, because the email folders are in fact one large file for them. The moment you save them in another location the can be scanned and threated, as far as i understood the explanation long ago.

WormGuard should recognise the pattern and block the thing from running, TDS can help you with the detection/removal.

How the other person went to send you the infected email i don't know exactly. Maybe to give you some test materials, but it does not sound very reliable, does it?

You might like to read this article:
http://online.securityfocus.com/infocus/1562
Telling a lot about the value of scanning and the question if anti-virus/trojan developers would hire virus creators to keep their business running. Of course not, but your case looks like it.
Fingers crossed very much TDS / WormGuard and/or other scanners keep your system in bright clean condition. (You know by now i love TDS so very much)
So please do send their lab that zipped thing you have and they can tell you if they have a cure for it immediately.
Thanks in name of the whole internet society!

 

ok here is the deal
if they come in on hotmail they don't show up as attachments.
Please remember I have beta tested for symantec for 6 years. That means I do have e-mail scanning enable and bloodhound on high.
What I did was forwarded the e-mail from hotmail to my home e-mail. (real) just to play.
Since I just reformated I don't have all the latest updates to office 2000, which I understand cover this worm.
My Norton does not catch BUT the splash from outlook express comes up saying the usual, " do you want to open or save to dick? I chose to save to disk, So far I have got two more e-mails from all over. One attachment is named po.scr and the other is named mix
and shows as a shortcut, RIGHT clicking with Norton does NOT show anything and going to trendmicro does not show anything. This is telling me I am not infected but could be if I were to actualy open the attachments.
I still have all the e-mails if anybody is interested.
I tried to send to Symantec and Trend but they do not have direct links UNLESS you have the file. I could not forward the e-mail to them. Once I get all the mutated files I will try sending them .
WILL TDS ALLOW FORWARDED MAIL?
Over?

 

This is a good one I am getting calls from all my friends saying they are getting mail from all over da world.
They have Norton also.
I better get the fix soon.

 

one more reason I may have been sent this worm is because of my ties with Michael Paris?
I think he would like a sample too
the Knights Templer rides again !!!!!!!!!!
So where is the Arc of the Covenent  Huh?

 

UDATE:  NOD32 is not catching this varient
just tried it with the latest updates.
Going to try TDS now

 

After scanning with NOD32 and Norton no worm is found
However after sending in the sample of the worm to Symantec, READ the below results
I am using a Windows ME machine My friends have updated their virus def's also and find nothing. WASUUP?

message is an automatically generated reply.  This system is
designed
to analyze and process virus submissions into the Symantec AntiVirus
Research Center (SARC) and cannot accept correspondence or inquiries.
Please contact your Technical Support representative if more detailed
information about your submission is required.  Do not reply to this
message.

Below is a status update on your virus submission:

Date: Sun Apr 21 13:10:40 PDT 2002
Controler
Dear Controler
We have analyzed your submission.  The following is a report of our
findings for each file you have submitted:

filename: C:\WINDOWS\Desktop\New Folder (2)\Size.pif
machine: CONTROLER
result: This file is infected with W32.Klez.gen@mm

The current certified definitions are capable of detecting this virus:
see the specific infected files for required action.  Please update
your
definitions by clicking the "LiveUpdate" button in your NAV program.

Developer notes:
C:\WINDOWS\Desktop\New Folder (2)\Size.pif is infected by a
non-repairable virus or a Trojan Horse.  You should delete this file and replace
it if neccessary.


Your submission tracking number is in the subject of this message.

If you have any questions about your submission,
please include your submission tracking number in the inquiry.
Symantec provides free online support at:
http://www.symantec.com/techsupp/

Follow the prompts to access the online Knowledge Bases and
online Discussion Groups.

Virus information and definitions are available at:
http://securityresponse.symantec.com/

 

Hi i see a question kept unanswered:
yes, you can either zip the whole email with attachment and send it, via web site or browser or email to support@diamondcs.com.au for TDS.
They can handle it for you.
In the other thread Gavin explained some of the detection, so if it does not show up it does not say it is not detected yet. Maybe the catcher is ready to jump on it the right moment, i really don't know those parts.
Anyway, there are lots of recommendations for cleaning/fixing, at KAV/AVP, TrendMicron, Symantec, F-Secure, you name them.....
Did you beta test the files and fixes on infections or the scanner software itself?

 

Thougth I would share a link with you all since we are following your thread. Thanks for being here.


MyRealBox catches Klez


http://www.dslreports.com/forum/remark,3103878~root=security,1~mode=flat

 

www.dslreports.com/forum/remark,3095445~root=security,1~mode=flat

And thanks for all your hard work controler.

edit: added url tags - forum admin

 

here I will try to explain why a person can scan their system and NOT find anything wrong but after submitting a file to Symantec, you get a responce back
telling you your file was infected.

There are actualy three virus definition updates.
There used to be two. You had your regular home user Liveupdate, which are posted once a week(wed.)
Then you had your more advanced update which you got from Symanyec's FTP site and were BETA.
Now you have the same liveupdate, you have the intelligent update, which are manual updates and even though these are mentioned as STILL BETA, Symantec
is saying they are MORE tested LOL
Then last is the BETA virus definitions which are NOT tested at all and are labled as for emergencies and of course, NOT recommended for the normal home user
The BETA definitions are also posted once a day.
There you have it.
I hope I have helped explain things and not confused the situation even more.