Email Virus worm_klez.g

Chippp · 04-23-2002, 03:02 PM

I was sent worm_klez,g and an other email virus called kl.worm or something like that today April 23 2002, they are nass mailing viruses.

My virus scanner pc-cillin caught it and removed it as soon as it was downloaded.

I see that the first virus I listed here is the most common in the wild virus as of today.

Everyone update your virus scanner data files daily and never ever run your computer without your virus scanner active.

Stay safe.

CHUNN · 04-23-2002, 04:39 PM

Got two of them today!

BooBop · 04-23-2002, 04:42 PM

what is the address they are coming from? Is it some of that junk mail???? LIke, earn 1000,0000 per month from home or some sh*t

Chippp · 04-24-2002, 09:39 AM

junk email,,,,,they are sent out mass mailing, spam mail, subject says "hi lets be friends" or some other crap. I don't open the email or resend it, never respond to spam.
Let the virus scanner grab it, then go into the scanner and delete it.

_______________________________________

WORM_KLEZ.G

Risk rating: low risk
Virus type: Worm
Destructive: Yes

Aliases:
W32/Klez-G, I-Worm.Klez.h, I-Worm.W32/Klez.gen@MM, W32.Klez.H@mm

Description:
This memory-resident variant of the WORM_KLEZ.A mass-mailing worm uses SMTP to propagate via email. The subject line of the email it arrives with is randomly selected from a list of possible choices. See Tech Details for more information.

Upon execution, this worm drops files and creates an entry in the AutoRun key of the system registry. It also infects EXE files. To infect, it encrypts (compresses) the target file and then modifies the file extension with a random name. It also modifies the attributes of the file and sets these to Read-only, Hidden, System, and Archive. Thereafter, this worm copies itself to the original filename of the infected file.

This worm makes sure that its filesize is the same with that of the infected file. To do this, it pads garbage at the end of the infected file

This worm does not perform its Antivirus Retaliation routine on machines running NT 4.0 or lower, due to an unavailability of system functions or APIs it uses to kill the antivirus-related processes

Solution:
Automatic Removal Instructions

Please download and run the fix tool.
Trend Micro requests that all users download and read the readme text before using this tool.
Manual Removal Instructions

For Windows 95 systems:
Restart your computer.
Press the F8 key when you see the message, "Starting Windows 95."
For Windows 98/Me systems:
Restart your computer.
Press the Ctrl key until your Windows 98 startup menu appears.
Choose the Safe Mode option then hit the Enter key.
For Windows XP systems:
Restart your computer.
When prompted, press the F8 key. If Windows XP Professional starts without the “Press select operating system to start” menu, restart your computer.
Press F8 again after the Power-On Self Test is done.
Choose the Safe Mode option from the Windows Advanced Options Menu.
For Windows 2000 systems:
Restart your computer.
Press the F8 key, when you see the Starting Windows bar at the bottom of the screen.
Choose the Safe Mode option from the Windows 2000 Advanced Options Menu.
Scan your system with Trend Micro antivirus and note down all files detected as WORM_KLEZ.G. These infected files may are WINK*.EXE files. * is a random number of random characters.
Click Start>Run, type Regedit then hit the Enter key.
In the left panel, double click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>Wi ndows
>CurrentVersion>Run
In the right panel, look for and then delete these registry values. * is any random characters:
”Wink*” = ”%System%Wink*.exe”
”WQK” = “%System%Wqk.exe”
In the left panel, double click the following:
HKEY_LOCAL_MACHINE>System>CurrentControl Set>Services
Under the Services key, look for and then delete this subkey:
Wink*
Close the Registry Editor.
Restart the system.
Scan your system with Trend Micro antivirus and delete all files detected as WORM_KLEZ.G. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other email users may use HouseCall, Trend Micro's free online virus scanner.
Since this worm uses a vulnerability in HTTP-based email clients like Microsoft Outlook and Outlook Express, please apply the latest patches:
Update to Internet Explorer 5.01 SP2
Update to IE 5.5 SP2
Update to IE 6.0
Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network or home PC.
________________________________________ _

NEW VIRUS NOW IN THE WILD
JS_EXCEPTION.GEN

Risk rating: low risk
Virus type: JavaScript
Destructive: No

Aliases:
Trojan.Seeker-based, HTML.VMExploit, JS.Exception.Exploit, EXCEPTION, EXCEPTION.GEN, Coolsite, Coolsite.A, JS/Coolsite.A

Description:
This Java Script (JS) Trojan changes the infected user's Internet Explorer startup page. One of this Trojan's samples (Coolsite samples) is a mass-mailer. It exploits security vulnerabilities in the Microsoft Virtual Machine. Some variants have non-destructive payloads that change the button caption, modify the appearance of Internet Explorer, and redirect links to a certain Web site.

Solution:

In the Windows Start Menu, choose Run, type Regedit and then press enter.
On the left panel, double click the following:
HKEY_CURRENT_USER>Software>Microsoft
>Internet Explorer>Main
On the right panel, look for this registry entry and double click it:
Start Page
Type the URL of your preferred Web page/site in the Value data text box.
Close the Registry.
Scan your system with Trend Micro antivirus and delete all files detected as JS_EXCEPTION.GEN. To do this Trend Micro customers must download the latest pattern file and scan their system. Other email users may use HouseCall, Trend Micro’s free online virus scanner.
Trend Micro also provides additional Windows ME Cleaning Instructions.
For additional information on this security vulnerability, and suggestions for preventing future infections, please visit Microsoft Support.

DO NOT RUN "REGEDIT" and make changes, IF YOU ARE NOT A COMPUTER GEEK YOU CAN REALLY MESS YOUR COMPUTER UP BAD!!!!!!!!!!!!!!!!!!!!!!

http://www.antivirus.com

_________________

Tanning Booths, for people that want only the very best.
Fast, Comfortable, Dark Tanning and Hygienic.
Don't get booth envy, get a booth.

[ This Message was edited by: Chippp on 2002-04-24 08:42 ][ This Message was edited by: Chippp on 2002-04-24 08:46 ]

BooBop · 04-24-2002, 10:13 AM

thanks chippp. geez these dang geeks need to find a new life. what do they get out of it? they need to find a partner for sex i guess

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Why are your email lists dying?	gripmarketing	Salon Management	0	10-05-2005 03:07 PM
New Email Virus On The Prowl!	navigatin1	Open Forum	14	06-07-2005 08:17 AM

04-23-2002, 03:02 PM	#1 (permalink)
Chippp Join Date: Apr 19 2001 Posts: 2,556 Rep Power: 8	I was sent worm_klez,g and an other email virus called kl.worm or something like that today April 23 2002, they are nass mailing viruses. My virus scanner pc-cillin caught it and removed it as soon as it was downloaded. I see that the first virus I listed here is the most common in the wild virus as of today. Everyone update your virus scanner data files daily and never ever run your computer without your virus scanner active. Stay safe.

04-23-2002, 04:39 PM	#2 (permalink)
CHUNN Police Department Join Date: Oct 17 2000 Location: Huntsville, AL Posts: 4,394 Blog Entries: 1 Rep Power: 10	Got two of them today!

04-23-2002, 04:42 PM	#3 (permalink)
BooBop I love Derf!! Join Date: Apr 5 2001 Posts: 9,497 Rep Power: 13	what is the address they are coming from? Is it some of that junk mail???? LIke, earn 1000,0000 per month from home or some sh*t

04-24-2002, 09:39 AM	#4 (permalink)
Chippp Join Date: Apr 19 2001 Posts: 2,556 Rep Power: 8	junk email,,,,,they are sent out mass mailing, spam mail, subject says "hi lets be friends" or some other crap. I don't open the email or resend it, never respond to spam. Let the virus scanner grab it, then go into the scanner and delete it. _______________________________________ WORM_KLEZ.G Risk rating: low risk Virus type: Worm Destructive: Yes Aliases: W32/Klez-G, I-Worm.Klez.h, I-Worm.W32/Klez.gen@MM, W32.Klez.H@mm Description: This memory-resident variant of the WORM_KLEZ.A mass-mailing worm uses SMTP to propagate via email. The subject line of the email it arrives with is randomly selected from a list of possible choices. See Tech Details for more information. Upon execution, this worm drops files and creates an entry in the AutoRun key of the system registry. It also infects EXE files. To infect, it encrypts (compresses) the target file and then modifies the file extension with a random name. It also modifies the attributes of the file and sets these to Read-only, Hidden, System, and Archive. Thereafter, this worm copies itself to the original filename of the infected file. This worm makes sure that its filesize is the same with that of the infected file. To do this, it pads garbage at the end of the infected file This worm does not perform its Antivirus Retaliation routine on machines running NT 4.0 or lower, due to an unavailability of system functions or APIs it uses to kill the antivirus-related processes Solution: Automatic Removal Instructions Please download and run the fix tool. Trend Micro requests that all users download and read the readme text before using this tool. Manual Removal Instructions For Windows 95 systems: Restart your computer. Press the F8 key when you see the message, "Starting Windows 95." For Windows 98/Me systems: Restart your computer. Press the Ctrl key until your Windows 98 startup menu appears. Choose the Safe Mode option then hit the Enter key. For Windows XP systems: Restart your computer. When prompted, press the F8 key. If Windows XP Professional starts without the “Press select operating system to start” menu, restart your computer. Press F8 again after the Power-On Self Test is done. Choose the Safe Mode option from the Windows Advanced Options Menu. For Windows 2000 systems: Restart your computer. Press the F8 key, when you see the Starting Windows bar at the bottom of the screen. Choose the Safe Mode option from the Windows 2000 Advanced Options Menu. Scan your system with Trend Micro antivirus and note down all files detected as WORM_KLEZ.G. These infected files may are WINK.EXE files. is a random number of random characters. Click Start>Run, type Regedit then hit the Enter key. In the left panel, double click the following: HKEY_LOCAL_MACHINE>Software>Microsoft>Wi ndows >CurrentVersion>Run In the right panel, look for and then delete these registry values. * is any random characters: ”Wink” = ”%System%Wink.exe” ”WQK” = “%System%Wqk.exe” In the left panel, double click the following: HKEY_LOCAL_MACHINE>System>CurrentControl Set>Services Under the Services key, look for and then delete this subkey: Wink* Close the Registry Editor. Restart the system. Scan your system with Trend Micro antivirus and delete all files detected as WORM_KLEZ.G. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other email users may use HouseCall, Trend Micro's free online virus scanner. Since this worm uses a vulnerability in HTTP-based email clients like Microsoft Outlook and Outlook Express, please apply the latest patches: Update to Internet Explorer 5.01 SP2 Update to IE 5.5 SP2 Update to IE 6.0 Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network or home PC. ________________________________________ _ NEW VIRUS NOW IN THE WILD JS_EXCEPTION.GEN Risk rating: low risk Virus type: JavaScript Destructive: No Aliases: Trojan.Seeker-based, HTML.VMExploit, JS.Exception.Exploit, EXCEPTION, EXCEPTION.GEN, Coolsite, Coolsite.A, JS/Coolsite.A Description: This Java Script (JS) Trojan changes the infected user's Internet Explorer startup page. One of this Trojan's samples (Coolsite samples) is a mass-mailer. It exploits security vulnerabilities in the Microsoft Virtual Machine. Some variants have non-destructive payloads that change the button caption, modify the appearance of Internet Explorer, and redirect links to a certain Web site. Solution: In the Windows Start Menu, choose Run, type Regedit and then press enter. On the left panel, double click the following: HKEY_CURRENT_USER>Software>Microsoft >Internet Explorer>Main On the right panel, look for this registry entry and double click it: Start Page Type the URL of your preferred Web page/site in the Value data text box. Close the Registry. Scan your system with Trend Micro antivirus and delete all files detected as JS_EXCEPTION.GEN. To do this Trend Micro customers must download the latest pattern file and scan their system. Other email users may use HouseCall, Trend Micro’s free online virus scanner. Trend Micro also provides additional Windows ME Cleaning Instructions. For additional information on this security vulnerability, and suggestions for preventing future infections, please visit Microsoft Support. DO NOT RUN "REGEDIT" and make changes, IF YOU ARE NOT A COMPUTER GEEK YOU CAN REALLY MESS YOUR COMPUTER UP BAD!!!!!!!!!!!!!!!!!!!!!! http://www.antivirus.com _________________ Tanning Booths, for people that want only the very best. Fast, Comfortable, Dark Tanning and Hygienic. Don't get booth envy, get a booth. [ This Message was edited by: Chippp on 2002-04-24 08:42 ][ This Message was edited by: Chippp on 2002-04-24 08:46 ]

04-24-2002, 10:13 AM	#5 (permalink)
BooBop I love Derf!! Join Date: Apr 5 2001 Posts: 9,497 Rep Power: 13	thanks chippp. geez these dang geeks need to find a new life. what do they get out of it? they need to find a partner for sex i guess

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)