Ironworks Gaming Forum - View Single Post - Who keeps sending the Klez virus around the place?

Memnoch · 05-04-2002, 02:04 PM

Here...

W32.Klez.gen@mm is a mass-mailing worm that searches the Windows address book for email addresses and sends messages to all recipients that it finds. The worm uses its own SMTP engine to send the messages.

The subject and attachment name of incoming emails is randomly chosen. The attachment will have one of the following extensions: .bat, .exe, .pif or .scr.

The worm exploits a vulnerability in Microsoft Outlook and Outlook Express in an attempt to execute itself when you open or even preview the message. Information and a patch for the vulnerability can be found at
http://www.microsoft.com/technet/sec...n/MS01-020.asp
W32.Klez.gen@mm attempts to copy itself to all network shared drives that it finds.

Depending on which variant of the worm, the worm will drop one of the following viruses:

W32.Elkern.3326
W32.Elkern.3587
W32.Elkern.4926

which will then infect the system.

Email spoofing
Some variants of this worm use a technique known as "spoofing." If it does this, it chooses at random an address that it finds on an infected computer as the "From:" address that it uses when it performs its mass-mailing routine. Numerous cases have been reported in which users of uninfected computers receive complaints that they have sent an infected message to someone else.

For example, Linda Anderson is using a computer that is infected with W32.Klez.E@mm; Linda is not using a antivirus program or does not have current virus definitions. When W32.Klez.gen@mm performs its emailing routine, it finds the email address of Harold Logan. It inserts Harold's email address into the "From:" line of an infected email that it then sends to Janet Bishop. Janet then contacts Harold and complains that he sent her infected email, but when Harold scans his computer, Norton AntiVirus does not find anything--as would be expected--because his computer is not infected.

If you are using a current version of Norton AntiVirus, have the most recent virus definitions, and a full system scan with Norton AntiVirus set to scan all files does not find anything, you can be confident that your computer is not infected with this worm.

(Mem--I removed the '.' at the end of the URL)

[ 05-05-2002, 01:45 AM: Message edited by: Ziroc ]

05-04-2002, 02:04 PM	#8
Memnoch Ironworks Moderator Join Date: February 28, 2001 Location: Boston/Sydney Posts: 11,771	Here... W32.Klez.gen@mm is a mass-mailing worm that searches the Windows address book for email addresses and sends messages to all recipients that it finds. The worm uses its own SMTP engine to send the messages. The subject and attachment name of incoming emails is randomly chosen. The attachment will have one of the following extensions: .bat, .exe, .pif or .scr. The worm exploits a vulnerability in Microsoft Outlook and Outlook Express in an attempt to execute itself when you open or even preview the message. Information and a patch for the vulnerability can be found at http://www.microsoft.com/technet/sec...n/MS01-020.asp W32.Klez.gen@mm attempts to copy itself to all network shared drives that it finds. Depending on which variant of the worm, the worm will drop one of the following viruses: W32.Elkern.3326 W32.Elkern.3587 W32.Elkern.4926 which will then infect the system. Email spoofing Some variants of this worm use a technique known as "spoofing." If it does this, it chooses at random an address that it finds on an infected computer as the "From:" address that it uses when it performs its mass-mailing routine. Numerous cases have been reported in which users of uninfected computers receive complaints that they have sent an infected message to someone else. For example, Linda Anderson is using a computer that is infected with W32.Klez.E@mm; Linda is not using a antivirus program or does not have current virus definitions. When W32.Klez.gen@mm performs its emailing routine, it finds the email address of Harold Logan. It inserts Harold's email address into the "From:" line of an infected email that it then sends to Janet Bishop. Janet then contacts Harold and complains that he sent her infected email, but when Harold scans his computer, Norton AntiVirus does not find anything--as would be expected--because his computer is not infected. If you are using a current version of Norton AntiVirus, have the most recent virus definitions, and a full system scan with Norton AntiVirus set to scan all files does not find anything, you can be confident that your computer is not infected with this worm. (Mem--I removed the '.' at the end of the URL) [ 05-05-2002, 01:45 AM: Message edited by: Ziroc ] __________________