Del.icio.us
Digg It
Question
Virus Alert! New Klez worm attacks anti-virus programs!
Virus Alert! Klez worm attacks anti-virus programs!
AnswerThis question was answered on April 17, 2002. Much of the information contained herein may have changed since posting. A new variation of the Klez worm is in wide distribution. The worm has its own e-mail engine for mass mailing itself to others and has modified code that let it get past and disable many popular anti-virus programs. In addition, because it can also spread to shared drives on local area networks or LANs, entire corporate networks can become infected by a single computer on the LAN. WHAT IT DOES... The worm arrives in an e-mail message with an attachment that, in many cases, doesn't need the recipient to open it in order to run. Instead, it takes advantage of a year-old vulnerability in Microsoft Outlook, known as the Automatic Execution of Embedded MIME Type bug, to open itself automatically on unpatched versions of Outlook. (Make sure you have the latest security patches for your Microsoft products by going to the 'Product Updates' link at Once activated, the worm will find any network storage available on the infected computer and copy itself to any remote disk drives using a random file name and a .EXE, .PIF, .COM, .BAT, .SCR or .RAR extension. The worm will also gather e-mail addresses by searching a host of different file types on the infected system and using its own e-mail engine, the worm will send itself to those addresses. In addition, it will use the addresses to create a fake "From:" field in the e-mail message, disguising the actual source of the e-mail. Finally, the worm attempts to disable antivirus software by deleting registry keys, stopping running processes and removing virus-definition files. WHAT TO WATCH FOR: The worm arrives in an e-mail message with one of 120 possible subject lines and a completely random message body. According to the Symantec AntiVirus Research Center (SARC.com), the subject line can be one of the following: Undeliverable mail--"[Random word]" Returned mail--"[Random word]" a [Random word] [Random word] game a [Random word] [Random word] tool a [Random word] [Random word] website a [Random word] [Random word] patch [Random word] removal tools how are you let's be friends darling so cool a flash,enjoy it your password honey some questions please try again welcome to my hometown the Garden of Eden introduction on ADSL meeting notice questionnaire congratulations sos! japanese girl VS playboy look,my beautiful girl friend eager to see you spice girls' vocal concert japanese lass' sexy pictures ****The random word will be one of the following: new funny nice humour excite good powful WinXP IE 6.0 W32.Elkern W32.Klez.E Symantec Mcafee F-Secure Sophos Trendmicro Kaspersky In order to be protected from this new strain of Klez, you must update your anti-virus programs definition file with a date of 04/17/02 or later. WHAT TO DO IF YOU CONTRACT THIS WORM If this worm is activated in your system, in most cases you will not be able to start your anti-virus program. Once this worm has executed, it can be difficult and time consuming to remove. The procedure that you must use to do this varies with the operating system. You can get step-by-step instructions from the SARC website at:<a href="http://www.sarc.com/avcenter/venc/data/w32.klez.h@mm.html#removalinstructions" target="_blank">
AuthorPosted by Ken of Data Doctors on April 17, 2002
|
Privacy PolicySite contents © 1988-2008 by Data Doctors Franchise Systems Inc. All rights reserved. | 
Sitemap