dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
73

osumba2001
join:2000-12-11
New Albany, OH

osumba2001

Member

Klez question

Does Klez attempt to send itself to all addresses it can find (in ICQ, Outlook address book, etc) or just one random address? I can't find anything on the SARC site (»www.sarc.com/avcenter/ve ··· @mm.html)

I'm asking because I'm trying to determine if our organization is infected or not. Since I mail everybody in the company, if somebody IS infected, wouldn't they attempt to send me an infection, too? As long as our AV scanner picks up Klez one at a time we should be safe. As soon as it picks up a ton of messages at once each to a different recipient, then I should worry?

Boy, tracking down the true infected hosts machine via the email headers is tough...

Thanks,
Rob

Time Out$
Premium Member
join:2002-04-28
North Myrtle Beach, SC

Time Out$

Premium Member

"Does Klez attempt to send itself to all addresses it can find (in ICQ, Outlook address book, etc) or just one random address?"

A-As many as it can find

"if somebody IS infected, wouldn't they attempt to send me an infection, too?"

A-Possibly but that can not be relied on as an indicator

"As long as our AV scanner picks up Klez one at a time we should be safe."

A-I have no idea how your company Nework is setup muchless how you handle email for each person..but since KLEZ can disable AV, has a payload in some cases..and the user never really knows they are infected..you about have to go to each machine to find out.

"Boy, tracking down the true infected hosts machine via the email headers is tough..."

A-The word is not tough..the fact is it can not be done.

___________________________________________________________
I think you should read this thread....

»Klez Virus - AVG Report to Sender - Info Please

and in particular these two posts and all the links in them that will get you to other information about this Klez Worm.
»Klez Virus - AVG Report to Sender - Info Please

»Klez Virus - AVG Report to Sender - Info Please

osumba2001
join:2000-12-11
New Albany, OH

osumba2001

Member

Thanks for the quick response, Time Out.

The header info contained the following:
Received: from Ghzyinyde (h00055d21ac43.ne.client2.attbi.com [24.61.35.227]) by mail.mydomain.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13).

My employee hasn't sent any mail to anybody at an attbi.com address, so we're at a dead end on tracking the true originator.

We're running Sybari Antigen for Exchange and I'm picking up maybe 3 or 4 Klezes a day for our small 50 person company. All corporate email comes through this server.

I'll go check those links...

Thanks again,
Rob

Time Out$
Premium Member
join:2002-04-28
North Myrtle Beach, SC

Time Out$

Premium Member

How about putting this tool on a disk and then you can check out individual PC.

W32.Klez Removal Tool
Last Updated on: May 1, 2002 at 06:08:18 PM PDT

Download the FixKlez.com file from »securityresponse.symante ··· Klez.com.

Symantec has provided a tool to remove infections of W32.Klez.E@mm, W32.Klez.H@mm, W32.ElKern.3587, and W32.ElKern.4926.

Note on W32.Klez.gen@mm detections:
W32.Klez.gen@mm is a generic detection that detects variants of W32.Klez. Computers that are infected with W32.Klez.gen@mm have most likely been exposed to either W32.Klez.E@mm or W32.Klez.H@mm. If your computer is detected as infected with W32.Klez.gen@mm, download and run the tool. In most case, the tool will be able to remove the infection.

What the tool does
The W32.Klez Removal Tool does the following:

It terminates all processes that are associated with W32.Klez.E@mm, W32.Klez.H@mm, W32.ElKern.3587, and W32.ElKern.4926.
It deletes the W32.Klez.E@mm and W32.Klez.H@mm service(s).
It removes the registry entries that were created by W32.Klez.E@mm and W32.Klez.H@mm.
It detects all types of W32.Klez.E@mm, W32.Klez.H@mm, W32.ElKern.3587, and W32.ElKern.4926 infections, and repairs files that can be repaired.

NOTE: A file that is infected with W32.Klez.E@mm or W32.Klez.H@mm includes a link to the encrypted host file. If the encrypted file does not exist at that link, the tool deletes the infected file because it is not repairable, and the encrypted file will not be restored.
The W32.ElKern.3587 and W32.ElKern.4926 repair removes the viral code from the file. It does not ensure that a file that is repaired from W32.ElKern will run because this virus often corrupts files.

Command-line switches that are available for this tool
/HELP, /H, /? - Displays the help message.
/NOFIXREG - Disables registry repair (the use of this switch is not recommended).
/SILENT, /S - Enables silent mode.
/LOG= - Creates a log file where is the location in which to store the tool's output. By default, this switch creates the log file FixKlez.log in the same folder from which the removal tool was executed.
/MAPPED - Scans mapped network drives (the use of this switch is not recommended--see notes).
/START - Forces the tool to start scanning immediately.
/EXCLUDE= - Excludes the specified from scanning (the use of this switch is not recommended).
NOTE: The use of the /MAPPED switch does not ensure the complete removal of the virus on the remote computer because:
The scanning of mapped drives scans only the folders that are mapped. This might not include all folders on the remote computer, and this can to lead to missed detections.
If a viral file is detected on the mapped drive, the removal will fail if a program on the remote computer is using this file.
The repair of a file that is infected with W32.Klez.E@mm or W32.Klez.H@mm may fail if this file is located on the mapped drive. This is because the path to the original encrypted host file is a local path.

For these reasons, you should run the tool on every computer.

To obtain and run the tool

NOTE: You must have administrative rights to run this tool on Windows NT 4.0, Windows 2000, or Windows XP.

1. Download the FixKlez.com file from »securityresponse.symante ··· Klez.com.
2. Save the file to a convenient location, such as your download folder or the Windows desktop (or removable media that is known to be uninfected, if possible).
3. To check the authenticity of the digital signature, refer to the section The digital signature.
4. Close all programs before running the tool.
5. If you are on a network or if you have a full-time connection to the Internet, disconnect the computer from the network and the Internet.
6. If you are running Windows Me or XP, then disable System Restore. Please refer to the section System Restore option in Windows Me/XP for additional details.

NOTE: If you are running Windows Me/XP, Symantec strongly recommends that you do not skip this step.

7. Shut down the computer and turn off the power. Wait at least 30 seconds. This is necessary to clear the memory.

NOTE: If you are using a laptop, you should also remove the battery and then replace it.

8. Restart the computer in Safe mode (All operating systems except Windows NT). For instructions, read the document for your operating system.
How to start Windows XP in Safe Mode.
How to start Windows 2000 in Safe mode.
How to restart Windows 9x or Windows Me in Safe Mode.
9. Double-click the FixKlez.com file to start the removal tool.
10. Click Start to begin the process, and allow the tool to run.
11. Restart the computer normally.
12. Run the removal tool again to ensure that the system is clean.
13. If you are running Windows Me/XP, then re-enable System Restore.

NOTE: The removal procedure might be unsuccessful if Windows Me/XP System Restore was not disabled as previously directed because Windows prevents System Restore from being modified by outside programs. Because of this, the removal tool might fail.

14. Run LiveUpdate to make sure that you are using the most current virus definitions.

NOTE: If W32.Klez.gen@mm was activated before you ran the removal tool, in most cases you will not be able to start Norton AntiVirus (NAV). The instructions for running NAV from the command line and NAV reinstallation instructions are in the removal section of the W32.Klez.E@mm writeup.

When the tool has finished running, you will see a message that indicates whether the computer was infected by W32.Klez.E@mm, W32.Klez.H@mm, W32.ElKern.3587, or W32.ElKern.4926. If an infection was removed, the program displays the following results:
The total number of the scanned files
The number of deleted files
The number of repaired files
The number of viral processes terminated
The number of viral services deleted
The number of registry entries fixed

The digital signature
FixKlez.com is digitally signed. Symantec recommends that you use only copies of FixKlez.com that were downloaded directly from the Symantec Security Response download site. To check the authenticity of the digital signature, follow these steps:
1. Go to »www.wmsoftware.com/free.htm.
2. Download and save the Chktrust.exe file to the same folder in which you saved FixKlez.com (for example, the C:\Downloads folder).
3. Depending on your version of Windows, do one of the following:
Click Start, point to Programs, and click MS-DOS Prompt.
Click Start, point to Programs, click Accessories, and then click Command Prompt.
Change to the folder that contains FixKlez.com and Chktrust.exe, and then type

chktrust -i FixKlez.com

For example, if the file exists in the C:\Downloads folder, enter the following commands:

cd\
cd downloads
chktrust -i FixKlez.com

4. Press Enter after you type each command. If the digital signature is valid, you will see the following:

Do you want to install and run "W32.Klez Fix Tool" signed on 4/26/2002 8:16 PM and distributed by Symantec Corporation.

NOTES:
The date and time that appear in this dialog box will be adjusted to your time zone if your computer is not set to the Pacific time zone.
If you are using Daylight Saving Time, the time that appears will be exactly one hour earlier.
If this dialog box does not appear, do not use your copy of FixKlez.com. It is not from Symantec.

5. Click Yes to close the dialog box.
6. Type exit and then press Enter to close the MS-DOS session.

System Restore option in Windows Me/XP
Windows Me and Windows XP users should temporarily turn off System Restore. This feature, which is enabled by default, is used by Windows Me/XP to restore files on your computer in case they become damaged. When a computer is infected with a virus, worm, or Trojan, it is possible that the virus, worm, or Trojan could be backed up by System Restore. By default, Windows prevents System Restore from being modified by other programs. As a result, there is the possibility that you could accidentally restore an infected file, or that online scanners would detect the threat in that location. For instructions on how to turn off System Restore, read your Windows documentation or one of the following articles:
How to disable or enable Windows Me System Restore.
How to disable or enable Windows XP System Restore.

For additional information and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article Anti-Virus Tools Cannot Clean Infected Files in the _Restore Folder, Article ID: Q263455.

How to run the tool from a floppy disk
1. Insert the floppy disk that contains the FixKlez.com file into the floppy disk drive.
2. Click Start, and then click Run.
3. Type the following, and then click OK:

a:\fixklez.com

NOTES:
There are no spaces in the command a:\fixklez.com
If you are using Windows Me and System Restore remains enabled, you will see a warning message. You can choose to run the removal tool with the System Restore option enabled, or exit the removal tool.

4. Click Start to begin the process, and then allow the tool to run.
5. If you are running Windows Me, then re-enable System Restore.

NOTE: For customers who are using Norton AntiVirus 2000/2001/2002 (NAV). In most cases, after removing the virus, you must reinstall NAV. For instructions on how to do this, read the document How to restore Norton AntiVirus after removing W32.Goner.A@mm or W32.Klez.gen@mm.

»securityresponse.symante ··· ool.html

»www.pandasecurity.com/di ··· ties.htm

»www.pandasoftware.es/lib ··· e_en.htm