Klez Virus - Alert

[FlyingPenguin]

Just worked on a customer's system infected with the Klez virus. Nasty and tenacious bastard. Just doing a scan alone doesn't work.

This thing infects EVERY friggin' EXE file on your computer, then patches the registry to bootstrap itself if you delete the main virus file.

Bastard also disables any installed virus scanners if it manages to infect your system, and prevents you from running a scanner even if it's the command line version in a DOS window.

Took me 4 hours to clean this nasty thing out, but now that I have an established procedure I can do it in half the time.

Fair warning to anyone who runs across this one: You MUST do a full virus scan afterwards. No getting around it. Most viruses you can just scan the root, Windows, System and Program Files folders and be pretty confident you got it all until the next scheduled full drive scan. Not this bastard. Booger hides EVERYWHERE.

[blade]

This is a nasty virus and it seems to be getting wore and more clever. Here's what I posted on this on the pca news page:



Everyone please be on the lookout for this virus. It's not always easy to spot and the senders are being even more clever to make sure you do get it. Here's a few I've received recently that is the <b>KLEZ</b> virus:

<b>IE 6.0 patch</b> as the subject. In the body:

<i>"This is a IE 6.0 patch
I hope you would like it."</i>

<b>Re:the Garden of Eden</b> as the subject. It executes as you try to read the email.

<b>Your password</b> as the subject. Executes as you read the email.

<b>Language</b> subject again, executes as you try and read the email.

<b>honey</b> same as previous

<b>Worm Klez.E immunity</b> as subject, the below as the body:

<i>"Klez.E is the most common world-wide spreading worm.It's very dangerous by corrupting your files.Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it.We developed this free immunity tool to defeat the malicious virus.You only need to run this tool once,and then Klez will never come into your PC.NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV monitor maybe cry when you run it.
If so,Ignore the warning,and select 'continue'.If you have any question,please mail to me."</i>

The above usually has no spaces after a sentence or punctuation.

There are probably many more so please don't open an email if it's from one you don't know. And especially <b>DO NOT</b> open any attachment since many open this way. As you can see above, some open as soon as you try to read the email.

A new trick is to <b>SPOOF</b> an email address.

<i>"Some variants of this worm use a technique known as "spoofing." If it does this, it chooses at random an address that it finds on an infected computer as the "From": address that it uses when it performs its mass-mailing routine. Numerous cases have been reported in which users of uninfected computers receive complaints that they have sent an infected message to someone else."</i>

More info <a href="http://securityresponse.symantec.com/av ... l">HERE</a>



<b>GET</b> the latest anti virus updates from your anti virus app. Do a full virus scan at least once a day. If you believe you did get the Klez virus then <a href="http://securityresponse.symantec.com/av ... m.html">Go Here</a> (scroll down) for removal instructions. It isn't easy and if you are no techie then you need to get one who is to help you.

Another option is to use this <a href="http://securityresponse.symantec.com/av ... l">Removal Tool</a>. Just scroll down.

If you have no anti virus app then <a href="http://www.grisoft.com">This</a> is a good free one.

[marscheese]

yeah, my some guy got it at my dads work sending the thing out on the entire network...he had to spend all day romoving the little sh*t......

[FlyingPenguin]

Well, I'm impressed. I just checked the VScan log and over 100 exe files were infected.

No small wonder I had a bitch of a time with this thing. I'd remove the virus and the registry entry, then launch some infected app and BAM I'd be back to square one.

Learned some useful things working on that one for the next time.

[wvjohn]

sucker seems to be on the rebound lately - i've gotten it mailed to me 6 times this weekend, including two aunts that live in different parts of the country!

[blade]

i've gotten it mailed to me 6 times this weekend

That's all? If I "just" get it 6 times in one day it's a good day. :;

It has been getting worse and they are trying all kinds of tricks. From saying it's a new klez removal tool, a great new link (beware that one, a version of klez/trojan is one you can get by clicking on the link), anything weird beware.


*If anyone is getting a virus (or spam) sent to them a lot then I strong suggest mailwasher, http://www.mailwasher.net

Exec first suggested it and it works like a charm, very easy to configure. And you can preview any emails and even bounce any you select back to them.

[Executioner]

I believe a friend of mine had this virus on his pc. I would not allow me to install any AV software. Since it really messed up his pc, I simply zero filled the drive and started over. He now runs an AV software.

My wife is always getting crap like this, so now she uses MailWasher. She's able to preview the messages, and able to delete them at the server, not on your pc. The best part of this program is it's free. My spam email has drasticlly been reduced 90% or more with the ability to bounce the email back. IMHO, this is the best way to avoid viruses: mailwasher.

[Vanguarde]

Klez is very clever, and the maker ( s ) keep updating this adaptive worm/virus/whatever u want to call it every couple of days.
I am impressed by Kelz, way more so than past viri lol

I run Norton , and I have yet to get Kelz in the email. 8( I wish I would get it sent to me, just the thrill of seeing it would be awesome! ( then I would clean that son bitch LOL ) My norton has auto updated its virus files much more in the last week than the first 2 months of this year, and I am loving it. lol Ok I guess im kinda strange. LOL

[blade_146]

im not sure what i've been getting but for the past 4 days i've gotten one email a day with a file attachement from someone i dont know. todays was from admin@pcabusers.com with a picture of a shoe and some kind of screensaver. Ran a scan and it said im clean but i wonder whats going on?

[PreDatoR]

i've been gettin' all sorts of shit too but i have OE in outlook setup to not accept the file attachments...

[blade]

blade_146, of course I didn't send you a virus. The Klez virus sends it to others from an infected computer but also will "spoof" an email. For example I received the virus from a respected hardware site but I found out it really wasn't from them, instead klez spoofed it, it just put their name as the "from" field as it did with the one to you that showed it from my email.

See my first post above on "spoofing".

<i>"Some variants of this worm use a technique known as "spoofing." If it does this, it chooses at random an address that it finds on an infected computer as the "From": address that it uses when it performs its mass-mailing routine. Numerous cases have been reported in which users of uninfected computers receive complaints that they have sent an infected message to someone else."</i>



Of course do not open any attachment if you are not sure what it is. But the bad thing is many versions of klez do not need an attachment, they use a script. All you need to do to get infected is to simply "open" an infected email, just like that you now have klez.



It is the nastiest of any previous virus and new versions are continually coming out. Everyone needs to be more aware and run a good anti virus app along with keeping it updated regularly.

[blade_146]

so im guessing that i have it now since i opened the one that was apparently from here? i updated nortons and it said i was clean but im still not sure. ive since setup OE to not accept attachments and i dont keep anyone in my address book. think i still have it?

[blade]

i opened the one that was apparently from here

That was my point, the virus sent you with that email was not from here. It was spoofed. Someone had that email in their address book and also was infected by klez, then klez "spoofs" and what it does it randomly selects an email from the infected users address book to put in the "from" field. It just happened to select the one from here.

It is confusing since this is fairly new.

Would you post or email me the full headers from that email?


If norton didn't show anything then you are probably safe. I've never used norton av so I'm not sure how it notifies you of a virus. The one I use http://www.grisoft.com tells me when a virus is received and that it's blocked.

To be on the safe side I suggest you run a complete virus scan. I've also heard that when norton fixes the klez virus it screws norton up so you have to reinstall norton. So be sure it is working ok, but I would think norton stopped it before any harm was done.

[FlyingPenguin]

Klez disables any installed anti-virus program and makes it impossible to install a new one until it's cleaned.

If Norton's running in the taskbar and will do a full system scan, then you haven't got it.

If you think you have it there's a free Klez removal tool available (you can't just remove the virus file - this is a very tough virus to remove manually): http://securityresponse.symantec.com/av ... .tool.html

[blade_146]

well i ran nav and pc cillin on line and both showed clean. even dl'd the removal and it found nothing. whew!! mike i would be glad to post that header, if i still had it its loooong gone