Detected
only last week (April 17' 2002), Klez virus has
taken notorious proportion in a very short span
of time causing large scale destruction and mayhem
in e-mail community. Symantec (Norton Anti-Virus)
has been quick to upgrade the threat level from
level 2 to level 3 within a week !
Like many of its predecessors, Klez
virus comes as attachment in e-mail. However,
unlike its predecessors, the e-mail disguises
as a friendly tip or warning from someone YOU
REGULARLY RECEIVE MAIL.
Not that apparent sender's computer
is infected, but the virus is intelligent enough
to pick up as sender such a mail address from
infected computer's Inbox, Outbox, Address Book
or ICQ that is unlikely to raise suspicion in
receiver's mind.
We have received e-mails laced with
Klez virus that seem to have originated from as
varied and dependable sources as Worldbank, Yahoo,
and even helpdesk@del1.vsnl.net.in !
So, if you receive e-mail from infobanc
with file attachment - DELETE IT IMMEDIATELY !
We never send e-mail with file attachment without
prior permission from receiver.
HOW
TO DETECT THE VIRUS
Symantec (http://www.symantec.com)
has given detail information on how to detect
e-mails containing Klez virus. The e-mail will
have one or two file attachments and a Subject
line like following:
-
Undeliverable mail--"[Random
word]"
-
Returned mail--"[Random word]"
(e.g. Returned mail--"honey" )
-
a [Random word] [Random word]
game (e.g. A special excite game)
-
a [Random word] [Random word]
tool (e.g. A very useful tool
-
a [Random word] [Random word]
website (e.g. A very funny website)
-
a [Random word] [Random word]
patch (e.g. A IE 6.0 patch)
-
[Random word] removal tools
-
how are you
-
let's be friends
-
darling
-
so cool a flash,enjoy it
-
your password
-
honey
-
some questions
-
please try again
-
welcome to my hometown
-
the Garden of Eden
-
introduction on ADSL
-
meeting notice
-
questionnaire
-
congratulations
-
sos!
-
japanese girl VS playboy
-
look,my beautiful girl friend
-
eager to see you
-
spice girls' vocal concert
-
japanese lass' sexy pictures
HOW
THE VIRUS DAMAGES YOUR COMPUTER
According to Symantec, the virus
can impart damages in following ways:
Payload:
This worm infects executables by
creating a hidden copy of the original host file
and then overwriting the original file with itself.
The hidden copy is encrypted, but contains no
viral data. The name of the hidden file is the
same as the original file, but with a random extension.
Large scale e-mailing:
This worm searches the Windows address
book, the ICQ database, and local files for email
addresses. The worm sends an email message to
these addresses with itself as an attachment.
Releases confidential info:
Worm randomly chooses a file from
the machine to send along with the worm to recipients.
So files with the extensions: ".mp8" or ".txt"
or ".htm" or ".html" or ".wab" or ".asp" or ".doc"
or ".rtf" or ".xls" or ".jpg" or ".cpp" or ".pas"
or ".mpg" or ".mpeg" or ".bak" or ".mp3" or ".pdf"
would be attached to e-mail messages along with
the viral attachment.
DETECTION
AND REMOVAL
For all its stealth technology and
intelligence, fortunately detection of Klez virus
and removal is not difficult. First of all, if
you delete the e-mail without opening the file
attachment -you are safe. In case you or your
staff accidentally opens the attachment and the
computer gets infected, detection and removal
is comparatively easy. The virus binds itself
to a random file in Windows/System directory.
Symantec has given step by step instruction on
how to detect its presence from Windows Registry
file. In case you find your system infected, follow
the removal instructions in www.symantec site.
|
