[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ADMINISTRIVIA. VIRUS WARNING


The latest worm to make its way onto our discussion lists is
WW32.Klez.H@mm and it is quite sophisticated.

See http://www.symantec.com/avcenter/venc/data/w32.klez.h@mm.html
for full details.


By 19 April, Symantec had upgraded the threat posed by this new
member of the Kletz family of worms to Category III, which is not
something to be laughed off. 

Once having entered your machine, Kletz.H, among other things,
removes the start-up keys for many anti-virus products. This
means that, if you don't catch it before it starts to execute
(usually the next time you open Windows), you may not notice it
at all.

Kletz.H then chooses a random file from your machine under which
to hide itself, searches the Windows address book, the ICO files,
and any other files containing e-mail addresses to prepare for a
mass mailing.  It may attach another random file taken from your
machine to the e-mail message, so the message may have two
attachments, one of which could be quite personal and private.

It chooses one of the addresses it has acquired from your
machine, places it on the e-mail's FROM: line, and then sends
itself. It contains its own SMTP engine and guesses at available
SMTP servers.

This means that you should not open a message with an attachment
even if it appears to be coming from a friend until you have
updated your virus definitions and had it inspect the files . It
also means that, if your machines becomes infected, you cannot
tell from whom the infected message came to you.

If you wish, you can examine the subject line for clues that the 
message is carrying W32.Klez.H@mm. It uses a large number of
SUBJECT: lines, among which Symantec
notes the following: 

			  Undeliverable mail--"[Random word]"
                          Returned mail--"[Random word]"
                          a [Random word] [Random word] game
                          a [Random word] [Random word] tool
                          a [Random word] [Random word] website
                          a [Random word] [Random word] patch
                          [Random word] removal tools
                          how are you
                          let's be friends
                          darling
                          so cool a flash,enjoy it
                          your password
                          honey
                          some questions
                          please try again
                          welcome to my hometown
                          the Garden of Eden
                          introduction on ADSL
                          meeting notice
                          questionnaire
                          congratulations
                          sos!
                          japanese girl VS playboy
                          look,my beautiful girl friend
                          eager to see you
                          spice girls' vocal concert
                          japanese lass' sexy pictures


                     The random word will be one of the
		     following:

                          new
                          funny
                          nice
                          humour
                          excite
                          good
                          powful
                          WinXP
                          IE 6.0
                          W32.Elkern
                          W32.Klez.E
                          Symantec
                          Mcafee
                          F-Secure
                          Sophos
                          Trendmicro
                          Kaspersky