|
KLEZ Alert Date issued: 04/29/02 Updated: 05/29/02 KLEZ Summary: KLEZ Removal Instructions:
The direct link to the removal tools above are: KLEZ Behavior Mass Emailing for Self-Propogation:This worm searches the Windows address book, the ICQ database, and local files (including cached web pages) for email addresses. The worm sends an email message to these addresses with itself as an attachment. The worm contains its own SMTP engine and attempts to guess at available SMTP servers. For example, if the worm encounters the address user@abc123.com it will attempt to send email via the server smtp.abc123.com. Email Spoofing: Some variants of the Klez worm use a technique known as "spoofing." If it does this, it chooses at random an address that it finds on an infected computer as the "From:" address that it uses when it performs its mass-mailing routine. Numerous cases have been reported in which users of uninfected computers receive complaints that they have sent an infected message to someone else when indeed the supposed sender was not infected with the Klez virus. For example, John Q. Public is using a computer infected with W32.Klez.E@mm; John Q. is not using an antivirus program or does not have current virus definitions. When W32.Klez.gen@mm performs its emailing routine, it finds the email address of Harold Everyman. It inserts Harold's email address into the "From:" line of an infected email that it then sends to John Q. Public. For more information about KLEZ "spoofing" return e-mail addresses please see the following news articles: http://www.wired.com/news/technology/0,1282,52174,00.html http://www.wired.com/news/technology/0,1282,52055,00.html Local and Network Drive copying: The worm copies itself to local, mapped, and network drives as a random file name with a double extension. For example, Filename.txt.exe. A .rar archive that has a double extension. For example, Filename.txt.rar. For more information see:
More KLEZ Information
1. KLEZ ARRIVES IN FORCE Unlike most viruses, this one does NOT need you to open an email attachment, just opening or previewing the message in Outlook or Outlook Express is enough in the right circumstances. This isn't a theoretical virus, it's very real. Just before sending this issue of WOW we checked on of our email accounts and found two infected messages Despite the threat against their products you won't find anything directly relevant on the Microsoft web site unless you know the code words - and even then you have to check the fineprint. Given the situation and lack of direct information from Microsoft I got a headache trying to find out what was going on. So I delegated the whole thing to Peter Deegan who is a past master at divining glimmers of fact from behind the obfuscation that Microsoft employs.
This vulnerability has been known since at least May 2001 and the possibility of viruses spreading just by reading message long before that. As a result some of the patches from Microsoft have slowed the spread of this virus, however as events of the last few days have proved not enough computers have been protected. Klez will spread itself to other email addresses it finds in your Windows address book, ICQ lists and files you have saved to your hard drive. The message it generates in outgoing messages can have a variety of subject lines, body text and attachments. There's no use trying any simplistic protection method against messages with certain names or files, for you need to make sure your copy of Internet Explorer and occasionally Outlook Express is updated.
Why Internet Explorer? Don't worry about what version of Outlook or Outlook Express you have - it is your browser that may need fixing. WHICH VERSIONS OF IE
But if you look in the fine print you'll also find that Internet Explorer 6 can still be vulnerable! If you have:
I don't know about you but I can't remember what I installed yesterday, let alone the install option I might have chosen a year or more ago! Thankfully some more digging on the Microsoft web site will reveal an answer: The problem with the minimal or custom installs is that they don't update
Outlook Express. If you think you might be in the above group them open
up Outlook Express and make sure the version number starts with a 5 then
you need to reinstall IE 6 with either Typical or Full options - the download
page is here
Windows NT 4 and Windows 2000 users with IE 6 are also safe (there's no minimal or custom upgrade option when moving to IE 6, so Outlook Express is always updated) Users of Internet Explorer 5.01 with Service Pack 2 (check Help | About screen) are OK.
Internet Explorer 5.01 Internet Explorer 5.5 These patches include fixes for other problems. If you've been checking Windows Update occasionally (In IE, Tools | Windows Update) then you may be already applied these patches. You might decide this is the time to switch to Internet Explorer 6 - it is a large download but it has been out for sometime now and is pretty stable. If you choose this route then make sure choose either the Typical or Full install options. Naturally you should make sure your anti-virus software is up to date with the latest virus information. If you've been infected with a Klez virus already you'll have to remove
it. Both Symantec and Kaspersky have a removal tool and manual instructions
for removal
For starters, even if you've selected another program as your default browser, IE is still lurking on your computer and is used by Outlook and Outlook Express to display messages. So even if you don't use directly, you have to make sure IE is patched. In the short time we've had to prepare this issue we've not been able
to establish the possibility of a Netscape vulnerability. Since Netscape's
Messenger email program uses the Netscape browser to display messages
it is
You might think that an email virus that targets Microsoft's operating system / browser would be worthy of a mention to their customers. You'd be wrong. You can be sure that many na‹ve people would turn to the Microsoft company web site for help. They only find assistance if they know (by telepathy presumably) to go an article headed 'Incorrect MIME Header can cause IE to execute e-mail attachment' is what they need. Even then that article isn't clear, doesn't mention 'Klez' or viruses - the intention is to be obscure and minimize the company's responsibility. It would be foolish to think that checking a simple version number on the Help | About screen would be enough. Sure they could setup their software so that you could simply say 'version nn.nnnn and above is safe' - but not Microsoft. The possible IE 6 vulnerability mentioned above wasn't revealed by Microsoft until last September and even then is just footnote in their technical details. Most people would look at the list of vulnerable products at the top (only IE 5.01 and 5.5) and not realize they could be at risk. Even under the heading 'Does this vulnerability affect IE 6?' it commences with an empathic 'No' and then proceeds to qualify that without getting near the specific point. You have to jump to another Knowledge Base article to find what you need, like the version of Outlook Express to look for, Even that explanation isn't consistent with other parts of the MS web site. It lists Windows 95 as potentially vulnerable but elsewhere Windows 95 is omitted because it can't support an IE 6 upgrade! So don't worry if you get confused, it's not you, it's the tangled web of versions, upgrades, updates and patches that Microsoft has foisted on you. Be reassured and more than a little scared that even the highly paid experts at Microsoft can't get the story straight. 8. KLEZ CONTINUES The Klez notices I like most are the ones generated by email scanning programs. Here's what happens. Klez infects a machine at XYZ Corporation. Klez starts doing its thing, churning out infected messages and sending them everywhere. As you probably know, Klez can "spoof" the return address - it picks up a random email address from the infected PC and makes the infected messages look like they came from the "spoofed" id. My id is on quite a few PCs, as you might imagine, and so infected messages go out all the time that appear to originate from my id. Back at XYZ Corporation, the automatic email scanner catches the infected messages before they get sent out - which is great. The scanner reacts by sending a message to the person who's transmitting all of these bad messages. Since my id has been spoofed, the email scanner thinks that I've been sending out the messages. So the scanner sends me a message saying that I'm sending out infected messages, via the XYZ.com mail server! Gad. It ain't my fault! Honest! Of course, you were smart and followed our instructions last week, so
you weren't infected, right? You made sure you had the latest patches
for Internet Explorer, right? Er, right? If you didn't, kick yourself
twice, and pull up this issue of WOW: And of course you've updated your anti-virus software package's definition files. Right? Er, right? |
Quoted from Woody's Office Watch. See http://www.woodyswatch.com/office/archtemplate.asp?v7-n16 for the original publication.