Info on the Klez.H worm that Eld did _not_ send out

["Crispin" <crispin@newdawn.sz>]

Dear Stovers

Sorry for the length of this but things are getting worse, it appears.

Elk has checked his machine and it is clean.  The worm is apparently able to
pick up other email addresses and substitute them to make it appear as the
sender.  The effect of this is to make it more difficult to track down the
infected machine and warn the real sender early.  It is called address
spoofing.  The name has also changed at least once to Kles.gen and it
appears people are stitching together parts of other worms.  You can read
the little braggart's 'copyright' claim at the bottom of this message.

I received another copy this morning with an attachment of 170k which is the
largest version I have seen.  I sent it in for checking (without
opening/reading it! - just drag and drop to the outgoing message) and
received the following reply.  Please note how many additional file names
are appearing on people's drives.

In a bizarre twist, the one that arrived this morning gave as its 'sender' a
unique word taken from the filename of one of the files on our New Dawn
Engineering website.  I am investigating the source of that message.

I have been communicating with the My eTrust systems engineer and they have
modified their cleaning approach to include the disabled versions of the
worm which I discovered hiding inside the .rar files.  There were 9 on one
of my machines.  It is in update v2004.  Also see below.

Here in the 'bush' people are struggling to get their systems back up and
running.  This is due to the expense (in our currencies) of antivirus
programs and professional help and the inconvenience and cost of getting
regularly downoaded updates.

Regards
Crispin

----- Original Message -----
From: Glen Iris EZ AV-Support <EZ_AVSupport@ca.com>
To: <crispin@newdawn.sz>
Sent: Wednesday, May 01, 2002 8:01 AM
Subject: myetrust technical issue : ref No.20020501153351614


****PLEASE NOTE: Further queries on this issue may be answered by a
different technician.****
****It is therefore very important that you include the full history of this
issue when replying so that we can provide an informed answer to your query
quickly.****

Thank you for your e-mail.

The file you sent us contained Win32.Klez.H which is detected and cleaned by
update 1993 or higher which is available for download from our website.

You should scan all files on your harddisk with EZ AV and then restart your
computer.

To scan all files go to:
[snip]

The worm spreads through open shares.  If your hard drives are shared either
remove the share or password protect the share.

You should also download and install all Microsoft critical updates for your
computer.  To ensure your Windows operating system has all critical updates
from Microsoft installed you can go to: http://windowsupdate.microsoft.com
and click on Product Updates

The following information is available at:

http://www3.ca.com/Virus/Virus.asp?ID=11779

Win32.Klez.H is a mass mailing network aware worm that spreads by using SMTP
and taking advantage of open network shares. In addition it drops a
polymorphic file infector virus into the Program Files directory.

The body of the message may be constructed from a list of phrases inside the
virus. Each message contains HTML code which exploits the "Incorrect MIME
Header" vulnerability in Internet Explorer Outlook and Outlook Express. If
successful the e-mail attachment will be opened on viewing the message
without the users knowledge.

For more information on this vulnerability see:

http://www.microsoft.com/technet/security/bulletin/ms01-020.asp

The attachment names vary as they are randomly generated. The extension is
randomly chosen from the following list:
.exe
.scr
.pif
.bat

Klez.H uses a variety of Subject lines that can include the following words
and phrases:

how are you
lets be friends
darling
so cool a flashenjoy it
your password
honey
some questions
please try again
welcome to my hometown
the Garden of Eden
introduction on ADSL
meeting notice
questionnaire
congratulations
sos!
japanese girl VS playboy
lookmy beautiful girl friend
eager to see you
spice girls vocal concert
japanese lass sexy pictures
Detected
Hi
Hello
Re:
Fw:
Undeliverable mail--"*****"
Returned mail-"*****"
a ***** ***** game
a ***** ***** tool
a ***** ***** website
a ***** ***** patch
*****  removal tools

The Subject line may also include the name of the recipient.

The message body can be randomly constructed or in some cases left empty.
The following is a sample list that contains words and phrases that may be
used to construct the message body. The worm may also use the words and
phrases listed above for Subject construction:

The following mail cant be sent to *****:
The attachment
The file
 is the original mail
 give you the *****
 is a ***** dangerous virus that *****
can infect on Win98/Me/2000/XP.
spread through email.
very
special
http://
www.
.com
For more informationplease visit
This is
This game is my first work.
Youre the first player.
I ***** you would ***** it.
enjoy
like
wish
hope
expect
Happy
Have a
Christmas
New year
Saint Valentines Day
Allhallowmas
April Fools Day
Lady Day
Assumption
Candlemas
All SoulsDay
Epiphany

where ***** is a word randomly selected from the following list:

new
funny
nice
humour
excite
good
powful
WinXP
IE 6.0
W32.Elkern
W32.Klez.E
Symantec
Mcafee
F-Secure
Sophos
Trendmicro
Kaspersky

Klez.H may use address spoofing to make the e-mail it sends appear as if it
has come from another machine. It uses addresses that it locates in the
infected system to display in the "From" line of the e-mail.

The worm can also send a message with the Subject:

"Worm Klez.E immunity"

and the message body:

[Beginning of message]
"Klez.E is the most common world-wide spreading worm.Its very dangerous by
corrupting your files. Because of its very smart stealth and anti-anti-virus
technicmost common AV software cant detect or clean it. We developed this
free immunity tool to defeat the malicious virus. You only need to run this
tool onceand then Klez will never come into your PC.

NOTE: Because this tool acts as a fake Klez to fool the real wormsome AV
monitor maybe cry when you run it.
If soIgnore the warningand select continue. If you have any questionplease
mail to me."
[End of message]

When the attachment is executed the worm drops a copy of itself into the
System directory. It then sets up a registry key to run itself on Windows
startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\="C:\WINDOWS\SYSTEM\"

The file name and registry value name are identical and are randomly
generated but always begin with "Wink". For example "Winkhj.exe".

The worm creates further copies of itself by inserting its code into .rar
archives. Note: On machines where Klez.H has [been] activated, CA antivirus
solutions report these files as infected; users need to manually delete
infected files located inside archives.

Klez.H also drops and activates a polymorphic virus - Win32/Wqk.C.

The encrypted text inside the worm code reads:

" & Win32 Foroux V1.0
Copyright 2002made in Asia
About Klez V2.01:
 1Main mission is to release the new baby PE virusWin32 Foroux
 2No significant change.No bug fixed.No any payload.
About Win32 Foroux (plz keep the namethanx)
 1Full compatible Win32 PE virus on Win9X/2K/NT/XP
 2With very interesting feature.Check it!
 3No any payload.No any optimization
 4Not bug freebecause of a hurry work.No more than three weeks from having
such idea to accomplishing coding and testing"

Klez also acts as a companion virus. It locates a Win32 PE program copies it
under a different name (using a random extension) and overwrites the
original with the worm code (e.g. - it copies MSACCESS.EXE to MSACCESS.UYI
and overwrites the original MSACCESS.EXE).

During this action the virus does not increase the size of the infected
program and keeps its original resources so it presents a user with the same
icon.

The copy of the original file is marked as system and hidden. It is also
compressed. As such the file is no longer a Win32 executable.
When a user executes a file that has been overwritten with the worm code -
for example - MSACCESS.EXE the worm runs first then it locates decompresses
and executes the original program.

Regards,

Steve Trusler
Systems Engineer
My eTrust Antivirus Support Team
Computer Associates

**** IMPORTANT INFORMATION ****
It is very important to update your antivirus product often to detect new
viruses written every day.

The Virus Update is updated almost every day and is available from
http://my-etrust.com/products/subscriptions/AntiVirus/



-
Stoves List Archives and Website:
http://www.crest.org/discussion/stoves/200204/
http://crest.org/discussiongroups/resources/stoves/
>
Stoves List Moderators:
Ron Larson, ronallarson@qwest.net
Elsen L. Karstad, elk@wananchi.com www.chardust.com
>
List-Post: <mailto:stoves@crest.org>
List-Help: <mailto:stoves-help@crest.org>
List-Unsubscribe: <mailto:stoves-unsubscribe@crest.org>
List-Subscribe: <mailto:stoves-subscribe@crest.org>
>
Sponsor the Stoves List: http://www.crest.org/discuss3.html
-
Other Biomass Stoves Events and Information:
http://www.bioenergy2002.org
http://www.crest.org/articles/static/1/1010424940_7.html Bioenergy
http://www.crest.org/articles/static/1/1011975339_7.html Gasification
http://www.crest.org/articles/static/1/1011975672_7.html Carbon
>
For information about CHAMBERS STOVES
>http://www.repp.org/discussiongroups/resources/stoves/Chambers/Chambers.htm