OOPS!! Sorry about the VIRUS.

by apostate man 6 Replies latest jw friends

apostate man

I am posting this in "FRIENDS" so that more of you will see it.
I have emailed many of you in the past and yesterday my wife opened a virus on my P.C. and it sent itself to everyone I have ever emailed from this computer. I finally got rid of the virus and am posting some information on it to get rid of it from MCAFEE. Sorry if this caused any of you any problems.
http://vil.mcafee.com/dispVirus.asp?virus_k=99455
Virus Profile

Virus Name: Risk Assessment:
W32/Klez.h@MM Medium

Virus Information:
Date Discovered: 4/17/2002
Date Added: 4/17/2002
Origin: Unknown
Length: approx 90kB
Type: Internet Worm
SubType: Win32
DAT Required: 4182

Virus Characteristics:

--- Update 4/30/2002 ---
This virus remains at a Medium Risk overall, however AVERT is still seeing many infections reported from Home Users and is informing Home Users that they are STILL at a HIGHER likelyhood of infection than corporate users.
HOME USERS SHOULD UPDATE THEIR DATS AS SOON AS POSSIBLE TO PREVENT INFECTION
--- Update 4/18/2002 ---
AVERT has raised the risk assessment of this threat to Medium after seeing an increase in prevalence over the past 24 hours. Home users are at a greater risk of infection, as they tend to update their DATs less frequently then corporations. As such, the risk of becoming infected in a corporate environment is lower.
This latest W32/Klez variant is already detected as W32/Klez.gen@MM by McAfee products using the 4182 DATs (23 January 2002) or greater.
W32/Klez.h@MM has a number of similarities to previous W32/Klez variants, for example:
W32/Klez.h@MM makes use of Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability in Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2).
the worm has the ability to spoof the From: field (often set to an address found on the victim machine).
the worm attempts to unload several processes (antivirus programs) from memory. Including those containing the following strings:
_AVP32
_AVPCC
NOD32
NPSSVC
NRESQ32
NSCHED32
NSCHEDNT
NSPLUGIN
NAV
NAVAPSVC
NAVAPW32
NAVLU32
NAVRUNR
NAVW32
_AVPM
ALERTSVC
AMON
AVP32
AVPCC
AVPM
N32SCANW
NAVWNT
ANTIVIR
AVPUPD
AVGCTRL
AVWIN95
SCAN32
VSHWIN32
F-STOPW
F-PROT95
ACKWIN32
VETTRAY
VET95
SWEEP95
PCCWIN98
IOMON98
AVPTC
AVE32
AVCONSOL
FP-WIN
DVP95
F-AGNT95
CLAW95
NVC95
SCAN
VIRUS
LOCKDOWN2000
Norton
Mcafee
Antivir
The worm is able to propagate over the network by copying itself to network shares (assuming sufficient permissions exist). Target filenames are chosen randomly, and can have single or double file extensions. For example:
350.bak.scr
bootlog.jpg
user.xls.exe
The worm may also copy itself into RAR archives, for example:
HREF.mpeg.rar
HREF.txt.rar
lmbtt.pas.rar
The worm mails itself to email addresses in the Windows Address Book, plus addresses extracted from files on the victim machine. It arrives in an email message whose subject and body is composed from a pool of strings carried within the virus (the virus can also add other strings obtained from the local machine). For example:
Subject: A very funny website
or Subject: 1996 Microsoft Corporation
or Subject: Hello,honey
or Subject: Initing esdi
or Subject: Editor of PC Magazine.
or Subject: Some questions
or Subject: Telephone number
The file attachment name is again generated randomly, and ends with a .exe, .scr, .pif, or .bat extension, for example:
ALIGN.pif
User.bat
line.bat
Thanks to the use of the exploit described above, simply opening or previewing the message in a vulnerable mail client can result in infection of the victim machine.
W32/Klez.h@MM masquerades as a free immunity tool in at least one of the messages used. Below is the message sent by the virus itself.
Subject: Worm Klez.E Immunity
Body: Klez.E is the most common world-wide spreading worm. It's very dangerous by corrupting your files. Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it.We developed this free immunity tool to defeat the malicious virus. You only need to run this tool once,and then Klez will never come into your PC.
NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV monitor maybe cry when you run it. If so,Ignore the warning,and select 'continue'. If you have any question,please mail to me.

The worm may send a clean document in addition to an infected file. A document found on the hard disk, that contains one of the following extensions, is sent:
.txt
.htm
.html
.wab
.asp
.doc
.rtf
.xls
.jpg
.cpp
.c
.pas
.mpg
.mpeg
.bak
.mp3
.pdf
This payload can result in confidental information being sent to others.

Indications Of Infection:

Randomly/oddly named files on network shares, as described above.
Reference to a WINKxxx.EXE file ("xxx" looks random) in a Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Method Of Infection:

This virus can be considered a blended threat. It mass-mails itself to email addresses found on the local system, exploits a Microsoft vulnerability, spreads via network shares, infects executables on the local system, and drops an additional file infecting virus, W95/Elkern.cav.c.

Removal Instructions:

Use current engine and DAT files for detection.
Once infected, VirusScan may not be able to run as the virus can terminate the process before any scanning/removal is accomplished. The following steps will circumvent this action and allow for proper VirusScan scanning/removal, by using the command-line scanner.
Ensure that you are using the minimum DAT specified or higher.
Close all running applications
Disconnect the system from the network
Click START | RUN, type command and hit ENTER
Change to the VirusScan engine directory:
Win9x/ME - Type cd \progra~1\common~1\networ~1\viruss~1\40~1.xx and hit ENTER
WinNT/2K/XP - Type cd \progra~1\common~1\networ~1\viruss~1\40F809~1.xx and hit ENTER
Rename SCAN.EXE to CLEAN.EXE to prevent the virus from terminating the process and deleting files. Type, ren scan.exe clean.exe and hit ENTER
First, scan the system directory
Win9x/ME - Type clean.exe %windir%\system\win*.exe and hit ENTER
WinNT/2K/XP - Type clean.exe %windir%\system32\win*.exe and hit ENTER
Once the scan has completed, Type clean.exe /adl /clean and hit ENTER
Rename scan.exe. Type, ren clean.exe scan.exe and hit ENTER
After scanning and removal is complete, reboot the system
Apply Internet Explorer patch if necessary.
Additional Windows ME/XP removal considerations

Aliases:

W32/Klez.G@mm (Norman), W32/Klez.gen@MM, W32/Klez.I (Panda), W32/Klez.K-mm, WORM_KLEZ.G (Trend)
Break the chains that bind you,
unless, of course, you're into that sort of thing.
apostate man

BTW, I got rid of it by using my "restore" option on Windows ME, I went back in time a week and restored my PC to that date, all seems OK now.
Break the chains that bind you,
unless, of course, you're into that sort of thing.
Cassiline

Apostste Man,
please tell me how to go back a week? I would rather do that then a manual removal and patches.
Thanks....
Also it dosn't matter who you e-mailed, its everyone in everyones address book it attached to. I recieved it from someone I have never corrosponded with before, thinking that thay wished to ask me questions, a nice person on this board so I did not think twice about opening it.
WORM_KLEZ.H
Risk rating:
Virus type: Worm
Destructive: Yes

Aliases:
W32/Klez-G, I-Worm.Klez.h, I-Worm.W32/Klez.gen@MM, W32.Klez.H@mm
Description:
This memory-resident variant of the WORM_KLEZ.A mass-mailing worm uses SMTP to propagate via email. The subject line of the email it arrives with is randomly selected from a list of possible choices. See Tech Details for more information.
Upon execution, it drops files and creates an entry in the AutoRun key of the system registry and then infects EXE files. It encrypts (compresses) its target files and then modifies the file extension of these with a random name. It also sets the attributes of its encrypted files to Read-only, Hidden, System, and Archive. Thereafter, this worm copies itself to the original filename of the infected file.
This worm makes sure that its filesize is the same as that of the infected file. To do this, it pads garbage data at the end of the infected file. It does not perform its Antivirus Retaliation routine on machines running Windows NT 4.0 or lower. Windows NT 4.0 or lower do not have system functions or the Application Program Interface (API) that this worm uses to kill antivirus-related processes.
Solution:
Automatic Removal Instructions
Please download and run the fix tool.
Trend Micro requests that all users download and read the readme text before using this tool.
Manual Removal Instructions
For Windows 95 systems:
Restart your computer.
Press the F8 key when you see the message, "Starting Windows 95."
For Windows 98/Me systems:
Restart your computer.
Press the Ctrl key until your Windows 98 startup menu appears.
Choose the Safe Mode option then hit the Enter key.
For Windows XP systems:
Restart your computer.
When prompted, press the F8 key. If Windows XP Professional starts without the “Press select operating system to start” menu, restart your computer.
Press F8 again after the Power-On Self Test is done.
Choose the Safe Mode option from the Windows Advanced Options Menu.
For Windows 2000 systems:
Restart your computer.
Press the F8 key, when you see the Starting Windows bar at the bottom of the screen.
Choose the Safe Mode option from the Windows 2000 Advanced Options Menu.
Scan your system with Trend Micro antivirus and write down the filenames of all files detected as WORM_KLEZ.H. These infected files may be WINK*.EXE files. * is a random number of characters.
Click Start>Run, type Regedit then hit the Enter key.
In the left panel, double click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows
>CurrentVersion>Run
In the right panel, look for and then delete these registry values. * is any random characters:
”Wink*” = ”%System%\Wink*.exe”
”WQK” = “%System%\Wqk.exe”
In the left panel, double click the following:
HKEY_LOCAL_MACHINE>System>CurrentControl Set>Services
Under the Services key, look for and then delete this subkey:
Wink*
Close the Registry Editor.
Restart the system.
Scan your system with Trend Micro antivirus and delete all files detected as WORM_KLEZ.H. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other email users may use HouseCall, Trend Micro's free online virus scanner.
Since this worm uses a vulnerability in HTTP-based email clients like Microsoft Outlook and Outlook Express, please apply the latest patches as follows:
Update to Internet Explorer 5.01 SP2
Update to IE 5.5 SP2
Update to IE 6.0
Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network or home PC.
Edited to add removal information for those who have PcCillin
C
When the pain of being where we are, becomes greater than our fear of letting go...we will risk and heal and grow.
Mulan

I got it two weeks ago, but not from you. I do a lot of business with Japanese customers, and got an email from a person I thought was one of the Japanese. I foolishly opened the attachment, and couldn't read it, so sent it to another customer to interpret for me. She replied that it was a virus, and her computer alerted her to it in time. I got rid of it also, by doing the restore option on my Windows ME. The virus wouldn't let me run the virus program, and I got error messages about how it couldn't be installed and there were missing files to run it.
It works fine now though. I had to email all my address book to warn them and had one irate customer too.
Marilyn (aka Mulan)
"No one can take advantage of you, without your permission." Ann Landers
apostate man

My Anti-Virus software was mush when I had the Virus.
I'm not sure about other OS's, but here is how to back up to a previous restore point in Windows ME. Make sure to close all open windows beforehand. Also, just highlighting the email in your inbox CAN OPEN THE VIRUS. So be careful.
Start
Programs
Accessories
System tools
System Restore
Break the chains that bind you,
unless, of course, you're into that sort of thing.
Solace

Hi Guys,
I've been off for a bit getting this bug out of our system.
We had it, it had already infected over 80 of our files. Mostly temp ones so we just deleted them. My family and friends in my address book were getting e-mails from this virus trying to spread itself.
So creepy, My mother in law asked me if I sent her an email saying "New website". She said she didnt open it. I was like, What the crapp! I never e-mailed them. The really wierd one was the one to my daughter. It grabbed her e-mail address and used my mother in laws address as the return, its subject was "Honey". Too weird. Coincidence but it does seem like this thing has a brain.
We also installed an anti-virus program over the internet. We pay a few bucks a year but its automatically updated and we can do virus scans whenever we to. I know there are some free ones too but we thought this one was good. I also deleted my address book.
Its been quite a learning experience.
Mike, It wasnt your fault. Dont feel bad.
The only reason you got it was probably because you were in someones address book whos computer was infected. The virus spreads itself randomly by e-mailing itself to everyone in the infected computers address book. Fiesty little bugger!!!
Joyzabel

We just got done reformatting our computer due to a virus that we got. Must be going around! It made the antivirus system mush, too.
Just remember to back up all the time and get the latest antivirus update!
Hey ApsotateMan, don't take the credit for everyone getting the virus from you!
hugs,
j2bf

OOPS!! Sorry about the VIRUS.

apostate man

apostate man

Cassiline

Mulan

apostate man

Solace

Joyzabel

Share this