LANGER-L ArchivesArchiver > LANGER > 2002-04 > 1019755665
From: "John A Hansen" <>
Subject: [LANGER] VIRUS ALERT = W32.Klez. H = Level 3 ( One time Advisory by List Admin)
Date: Thu, 25 Apr 2002 10:27:45 -0700
A new level 3 Virus Alert was issued this week by most
of the Major Anti Virus Test Sites and Software Programs
The names of the virus will vary but it is generally a form of
W32.Klez.X@mm. There is a couple of clever things that
this virus does that makes it deceptive.
While you will not get the virus from Rootsweb
you may well get a email from a subscriber or a friend
that you have corresponded with and it will look like
a legit response to the email or post that you made.
The Virus has two files attached.
One will have a random file from the sending computer
and the other will be the virus with a double extension
with ******.txt.exe etc. So it appears to be a real
and innocent attachment. As a result, the email message would
have 2 attachments, the first being the worm and the second
being the randomly-selected file with a "normal" extensions
such as *.doc or *.txt etc
Payload and Damage:
This worm infects executables by creating a hidden copy of the original
host file and then overwriting the original file with itself. The hidden
is encrypted, but contains no viral data. The name of the hidden file is
the same as the original file, but with a random extension.
Large scale e-mailing: This worm searches the Windows address book,
the ICQ database, and local files for email addresses. The worm sends
an email message to these addresses with itself as an attachment.
Releases confidential info: Worm randomly chooses a file from the machine
to send along with the worm to recipients. So files with the extensions:
".mp8" or ".txt" or ".htm" or ".html" or ".wab" or ".asp" or ".doc"
or ".rtf" or ".xls" or ".jpg" or ".cpp" or ".pas" or ".mpg" or ".mpeg"
or ".bak" or ".mp3" or ".pdf" would be attached to e-mail messages
along with the viral attachment
All the normal reference sites are carrying details on how to remove
if you do get infected and more technical details on how to
identify the incoming virus.
Please do not create any posts on the mailing lists.
John A Hansen
|[LANGER] VIRUS ALERT = W32.Klez. H = Level 3 ( One time Advisory by List Admin) by "John A Hansen" <>|