|
Technology
Info, Tips, FAQs Virus Information KLEZ Worm series Virus Alert dd April 2002
KLEZ Worm Series Detected: April 2002 Platform: Windows Propagation: Email, web browser, network shares, icq Description: Klez worms pose a high risk and are spreading in epidemic proportions. Users must also run desktop antivirus software on all their machines to reduce the threat of being infected with the new variants. It is also imperative to patch both Windows and Office with service packs from Microsoft. Disinfection
tools: Instructions for
how to use this tool are at: Klez exploits vulnerability
in IE. The patch for this is: Known Klez variants
to date:
KLEZ.Worm - Virus Tip KLEZ.H Worm - A characteristic of this virus -- one of the most active e-mail borne virus in circulation -- is that it spoofs the return address when it sends itself out. (please refer to the document Email spoofing) This has two main effects: 1. It prevents the infected person from learning that they are affected because the bounce messages generated by e-mail servers that scan for viruses go to the person who's address was spoofed instead of to the infected person. 2. The people who get the bounce message panic thinking they are infected and will shell out big bucks to have a technician look at the machine. For more information about the virus and its behavior, check out: http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_KLEZ.H&VSect=T The most common world-wide spreading worm at the moment is called Klez (many variants). Many people have received infected emails, including myself, so be extremely vigilant. In an email infected with Klez:
In addition to the worm attachment, the worm also may attach a random file from the computer. As a result, the email message would have 2 attachments, the first being the worm and the second being the randomly-selected file. Once a computer is infected, Klez disables any antiviral software on that computer. It may corrupt files on the hard disk. Then Klez searches for files containing e-mail addresses. It randomly selects one as the "sender," and then transmits infected e-mails to the other addresses found. Therefore receiving an e-mail containing the Klez virus "from" someone does not indicate that (1) their computer is infected or (2) that they sent you the virus. Sometimes the infected
e-mail message appears to be a "postmaster bounce message"
from your own domain. For example, if your e-mail address is jsmith@anyplace.com,
you could receive a message that appears to be from An attachment is included which is supposed to contain the refused e-mail. Opening that attachment launches the virus. So be extremely suspicious and NEVER open such attachments. Klez can also arrive in an e-mail with a message stating that the attachment is an antidote for the Klez virus. NEVER believe something like that. The virus can launch automatically when you click to preview or read an e-mail bearing Klez if your system has not been patched for a year-old vulnerability in Internet Explorer v5.01 or v5.5, Outlook and Outlook Express. IE 5.01 Service Pack 2 is not affected by this vulnerability. That patch can be downloaded from http://www.microsoft.com/windows/ie/downloads/critical/q290108/default.asp Klez only affects PCs running Microsoft's Windows operating system. In most cases, users of Outlook XP or those who applied Microsoft's security update (patch mentioned above) for older versions of Outlook, do not receive the attachments, but instead typically see an announcement that the message "contained script, which Outlook can't display." If you are using a current version of Norton AntiVirus and have the most recent virus definitions, and a full system scan with Norton AntiVirus set to scan all files does not find anything, you can be confident that your computer is not infected with this worm.
|
|
|
back to Technology Content Index
Events
Calendar What's
New
|