GILBREATH-L Archives

Archiver > GILBREATH > 2002-04 > 1019180232


From: "Joyce Reece" <>
Subject: [{Gilbreath}] Virus Alert from list Admin
Date: Thu, 18 Apr 2002 21:37:34 -0400


Please update your program asap and, as always, if you have questions please
send them to


> Name:
> ----------------
> W32/Klez.h@MM
>
> Characteristics:
> ----------------
> --- Update 4/18/2002 ---
> AVERT has raised the risk assessment of this threat to Medium after seeing
> an increase in prevalence over the past 24 hours. Home users are at a
> greater risk of infection as they tend to update their DATs less
> frequently then corporations. As such, the risk of becoming infected in a
> corporate environment is lower.
>
>
> This latest W32/Klez variant is already detected as W32/Klez.gen@MM by
> McAfee products using the 4182 DATs (23 January 2002) or greater.
>
>
>
> W32/Klez.h@MM has a number of similarities to <A
> href="http://vil.nai.com/vil/content/v_99237.htm">previous W32/Klez
> variants</A>, for example:
>
>
>
>
> W32/Klez.h@MM makes use of <A
> href="http://www.microsoft.com/technet/treeview/default.asp?url=/technet/s
> ecurity/bulletin/MS01-020.asp">Incorrect MIME Header Can Cause IE to
> Execute E-mail Attachment vulnerability</A> in Microsoft Internet Explorer
> (ver 5.01 or 5.5 without SP2).
>
> the worm has the ability to spoof the From: field (often set to an address
> found on the victim machine).
>
> the worm attempts to unload several processes (antivirus programs) from
> memory.
>
>
>
> The worm is able to propagate over the network by copying itself to
> network shares (assuming sufficient permissions exist). Target filenames
> are chosen randomly, and can have single or double file extensions. For
> example:
> 350.bak.scr
> bootlog.jpg
> user.xls.exe
>
>
>
> The worm may also copy itself into RAR archives, for example:
> HREF.mpeg.rar
> HREF.txt.rar
> lmbtt.pas.rar
>
>
>
> The worm mails itself to email addresses in the Windows Address Book, plus
> addresses extracted from files on the victim machine. It arrives in an
> email message whose subject and body is composed from a pool of strings
> carried within the virus. For example:
> Subject: A very funny website
> or Subject: 1996 Microsoft Corporation
> or Subject: Hello,honey
> or Subject: Initing esdi
> or Subject: Editor of PC Magazine.
> or Subject: Some questions
> or Subject: Telephone number
>
>
>
> The file attachment name is again generated randomly, for example:
> ALIGN.pif
> User.bat
> line.bat
>
>
>
> Thanks to the use of the exploit described above, simply opening or
> previewing the message in a vulnerable mail client can result in infection
> of the victim machine.
>
>
>
> W32/Klez.h@MM masquerades as a free immunity tool in at least one of the
> messages used:
> Subject: Worm Klez.E Immunity
> Body: Klez.E is the most common world-wide spreading worm.It's very
> dangerous by corrupting your files.
> Because of its very smart stealth and anti-anti-virus technic,most common
> AV software can't detect or clean it.
> We developed this free immunity tool to defeat the malicious virus.
> You only need to run this tool once,and then Klez will never come into
> your PC.
> NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV
> monitor maybe cry when you run it.
> If so,Ignore the warning,and select 'continue'.
> If you have any question,please mail to me.
>
> ----------------------------------------------------------------
> To check your system for this Internet Worm, and to learn how to protect
> yourself from computer viruses, visit the McAfee.com site at
> http://www.mcafee.com/myapps/vso/
>
> For complete information on this Internet Worm, view McAfee.com's Virus
> Information Library listing at
> http://vil.mcafee.com/dispVirus.asp?virus_k=99455.
>
> This email was sent to you by your friend Joyce Reece ()
>
>

This thread: