its loooong gone
Can't blame ya there.
Klez Virus - Alert
-
FlyingPenguin
- Flightless Bird
- Posts: 32783
- Joined: Wed Nov 22, 2000 11:13 am
- Location: Central Florida
- Contact:
I get emails with Klez attachments all day - that alone won't infect you. You must run the attachment to get infected.
All Klez emails have different subjects and message bodies BUT there's one thing that's consistent. There's ALWAYS two attachments. One is a harmless image or HTML file, and the other is a PIF, EXE, COM or BAT file that carries the virus.
If you only get the harmless file then your ISP probably has automatic virus scanning on it's mail server (something that's becoming more and more common).
Now the problem is that there's a security loophole in Outlook that the virus uses to spoof Outlook into opening the save/open attachment dialog. However, if you're using default settings the dialog window should come up and ask if you want to save or open the file.
What happens is some people just click OK without thinking about it.
To close the security loophole you need to apply the latest Critical Updates using Windows Update.
The other thing you need to do is make sure your anti-virus data files are up to date.
As Blade points out, this virus SPOOFS the return address and because of that some people are getting returned emails they never sent, and also getting automatic messages from mail servers saying they emailed a virus. That doesn't neccessarily mean you have the virus - it just means that the virus on someone's computer is using YOUR email address as the return address (my wife is getting 30 of those a day).
If you think you're infected it's easy to tell. Fortunately this programmer wasn't being as malicious as he could have been - he doesn't even try to hide the virus. If you're infected then if you run MSCONFIG.EXE, you'll find an entry in the Startup tab called WINKxx.EXE (where xx = any random letters). That's the bootstrap for the main virus. You can't just uncheck it and delete the file though - it'll come back because it also infects ALL your EXE files.
If you're infected you'll also find your McAfee or Norton taskbar icon is gone - Klez disables any anti-virus apps and you'll have to re-install them afterwards (Norton needs to be completely uninstalled and the registry entries wiped before re-installing).
Your system will also slow down a LOT if infected and you'll notice a LOT of drive access while the system is idle - that's the virus scanning EXE files on your hard drive and infecting them.
Detailed instructions and the free Klez removal tool are located here: http://securityresponse.symantec.com/av ... .tool.html
I've heard of many instances where computer shops have told people they had to wipe their drives to get rid of the Klez virus because it damages so many system files, but that's a CROCK.
In my experience the removal tool repairs all system and program files and only deletes primary vector files (the files that initially infect you). I've had no problem with full system recoveries.
Too many of these computer stores don't do the research online and have no idea how properly remove the virus. They try to get rid of it with a regular virus scan WHICH DOES NOT WORK. You need to use the removal tool. I've done manual removals before the tool was released and it's a BITCH.
All Klez emails have different subjects and message bodies BUT there's one thing that's consistent. There's ALWAYS two attachments. One is a harmless image or HTML file, and the other is a PIF, EXE, COM or BAT file that carries the virus.
If you only get the harmless file then your ISP probably has automatic virus scanning on it's mail server (something that's becoming more and more common).
Now the problem is that there's a security loophole in Outlook that the virus uses to spoof Outlook into opening the save/open attachment dialog. However, if you're using default settings the dialog window should come up and ask if you want to save or open the file.
What happens is some people just click OK without thinking about it.
To close the security loophole you need to apply the latest Critical Updates using Windows Update.
The other thing you need to do is make sure your anti-virus data files are up to date.
As Blade points out, this virus SPOOFS the return address and because of that some people are getting returned emails they never sent, and also getting automatic messages from mail servers saying they emailed a virus. That doesn't neccessarily mean you have the virus - it just means that the virus on someone's computer is using YOUR email address as the return address (my wife is getting 30 of those a day).
If you think you're infected it's easy to tell. Fortunately this programmer wasn't being as malicious as he could have been - he doesn't even try to hide the virus. If you're infected then if you run MSCONFIG.EXE, you'll find an entry in the Startup tab called WINKxx.EXE (where xx = any random letters). That's the bootstrap for the main virus. You can't just uncheck it and delete the file though - it'll come back because it also infects ALL your EXE files.
If you're infected you'll also find your McAfee or Norton taskbar icon is gone - Klez disables any anti-virus apps and you'll have to re-install them afterwards (Norton needs to be completely uninstalled and the registry entries wiped before re-installing).
Your system will also slow down a LOT if infected and you'll notice a LOT of drive access while the system is idle - that's the virus scanning EXE files on your hard drive and infecting them.
Detailed instructions and the free Klez removal tool are located here: http://securityresponse.symantec.com/av ... .tool.html
I've heard of many instances where computer shops have told people they had to wipe their drives to get rid of the Klez virus because it damages so many system files, but that's a CROCK.
In my experience the removal tool repairs all system and program files and only deletes primary vector files (the files that initially infect you). I've had no problem with full system recoveries.
Too many of these computer stores don't do the research online and have no idea how properly remove the virus. They try to get rid of it with a regular virus scan WHICH DOES NOT WORK. You need to use the removal tool. I've done manual removals before the tool was released and it's a BITCH.
Christians warn us about the anti-christ for 2,000 years, and when he shows up, they buy a bible from him.
Keep in mind FP not al versions of Klez need an attachment. They use a script which executes the virus as soon as you open an infected email. There is no attachment with these versions of the virus.
Only way to be protected is by using a good and up to date av.
Not with this one
Only way to be protected is by using a good and up to date av.
Klez disables any anti-virus apps and you'll have to re-install them afterwards
Not with this one
-
FlyingPenguin
- Flightless Bird
- Posts: 32783
- Joined: Wed Nov 22, 2000 11:13 am
- Location: Central Florida
- Contact:
BLADE: Even the version that uses the script to auto run still has an attachment. The script just forces your browser to run the attachment.
The autorun script explots a security hole in Outlook that can be fixed by installing the latest critical security update.
I've tested this by opening an infected email before and after installing the security update (with an AV program running to prevent it from running). After installing the patch, the email opens as a standard Klez with 2 attachments.
The autorun script explots a security hole in Outlook that can be fixed by installing the latest critical security update.
I've tested this by opening an infected email before and after installing the security update (with an AV program running to prevent it from running). After installing the patch, the email opens as a standard Klez with 2 attachments.
Christians warn us about the anti-christ for 2,000 years, and when he shows up, they buy a bible from him.
-
canton_kid
- Golden Member
- Posts: 1400
- Joined: Tue Mar 26, 2002 5:01 pm
- Contact:
No one seems to have posted any more on this viri for a couple weeks now,
Did it go away? Can I come out now and play again?
Are there any really good free antivirus programs out there? I mean the viruses are free, so shouldn't the anti-virus be free too!!
I have Norton, but my updates are out_date. I need to get a new program that is up to date again, but really hate to spend the money on the same thing over and over like for a years worth of updates!
I always get spammed a ton at all my boxes, but they are all else where like yahoo! Does that make a difference, since I don't download the e-mail like at an ISP??
I don't even have OE configured to send mail off my system, I have to cut and paste addresses everytime I get to one of those darned "mailto:" tech supports! I hate when they use the e-mail instead of their website!
Sounds like I may have been sent a couple of those type mails as spam, but deleted them instead of opening them.
Does it do any good to turn off HTML for email or will it still run the script and infect you off yahoo and such anyway?? Been thinking of turning it off anyway because of all the html spam I get. But that might be a pain when I get all those Tiger direct pages and X10 super cam html pages I love so much!
canton_kid
Did it go away? Can I come out now and play again?
Are there any really good free antivirus programs out there? I mean the viruses are free, so shouldn't the anti-virus be free too!!
I have Norton, but my updates are out_date. I need to get a new program that is up to date again, but really hate to spend the money on the same thing over and over like for a years worth of updates!
I always get spammed a ton at all my boxes, but they are all else where like yahoo! Does that make a difference, since I don't download the e-mail like at an ISP??
I don't even have OE configured to send mail off my system, I have to cut and paste addresses everytime I get to one of those darned "mailto:" tech supports! I hate when they use the e-mail instead of their website!
Sounds like I may have been sent a couple of those type mails as spam, but deleted them instead of opening them.
Does it do any good to turn off HTML for email or will it still run the script and infect you off yahoo and such anyway?? Been thinking of turning it off anyway because of all the html spam I get. But that might be a pain when I get all those Tiger direct pages and X10 super cam html pages I love so much!
canton_kid
-
canton_kid
- Golden Member
- Posts: 1400
- Joined: Tue Mar 26, 2002 5:01 pm
- Contact:
The links again:
Free Anti Virus Software They have regular updates and from what I've seen they are just as good as any like norton or macaffee, if not better. And it doesn't have all the other bs bloatware those av's are known for.
Another super program that Exectioner suggested is Mailwasher . That is one amazin' free software also. With it you can configure several pop3 emails and view them before they get to your inbox (inbox or email client must not be running) so you can see if any are a virus or spam. And the great thing is you can delete any and blacklist any like spam. That bounces the email back to the sender as undeliverable. I like that.
I don't use yahoo email canton_kid but I doubt you can get a virus from that unless you open the email. So I wouldn't open any you did not expect or that looks suspicious. The free anti virus scans only pop3 email and not any web based one.
I don't believe turning off html will help since most virus use a script to execute or an attachement. Turning of windows scripting will help some.
*I'm still getting 2-5 a day.
Free Anti Virus Software They have regular updates and from what I've seen they are just as good as any like norton or macaffee, if not better. And it doesn't have all the other bs bloatware those av's are known for.
Another super program that Exectioner suggested is Mailwasher . That is one amazin' free software also. With it you can configure several pop3 emails and view them before they get to your inbox (inbox or email client must not be running) so you can see if any are a virus or spam. And the great thing is you can delete any and blacklist any like spam. That bounces the email back to the sender as undeliverable. I like that.
I don't use yahoo email canton_kid but I doubt you can get a virus from that unless you open the email. So I wouldn't open any you did not expect or that looks suspicious. The free anti virus scans only pop3 email and not any web based one.
I don't believe turning off html will help since most virus use a script to execute or an attachement. Turning of windows scripting will help some.
*I'm still getting 2-5 a day.
-
canton_kid
- Golden Member
- Posts: 1400
- Joined: Tue Mar 26, 2002 5:01 pm
- Contact:
Thanks for the link blade. I'm looking into it now.
I have Norton, but like i say the files are out of date so it probably only catches old ones.
I'm gonna trie that Mailwasher I think. I looked into it before, but it doesn't bounce back stuff from mail servers like yahoo it said. Think it was the same program.
Building a website, so I'll need something for pop3 there!
canton_kid
I have Norton, but like i say the files are out of date so it probably only catches old ones.
I'm gonna trie that Mailwasher I think. I looked into it before, but it doesn't bounce back stuff from mail servers like yahoo it said. Think it was the same program.
Building a website, so I'll need something for pop3 there!
canton_kid
-
ClockerDude
- Genuine Member
- Posts: 34
- Joined: Tue Mar 05, 2002 4:40 am
Ok. I think sombody said this allready, but as long as you dont click on a link or open an attachment you cant get infected? Cause i have OE set to ask what to do with attachments when it gets them. Mail cant automaticly execute attachments can it?
And why is it when you make a colin P it does this
now?
And why is it when you make a colin P it does this
now?