Suspectable virus

[Philip]

Date: 11/19/2002 14:53:04 +0000
From: webmaster <webmaster@p8ntballer.com>
To: admin@ice-network.co.uk
Subject: Here to find out more! All headers
Attachment 0
Type: text/html
Filename: Unknown.html
Encoding: quoted-printable Download
Attachment 1
Type: audio/x-wav
Filename: here to.bat
Encoding: base64 Download
Attachment 3
Type: application/octet-stream; name=main;port=fs;chan=email;dcopt=ist;sz=468x60
Filename: main;port=fs;chan=email;dcopt=ist;sz=468x60;ord=526428[1].htm
Encoding: base64 Download

Ok, any reason why i have this, is it official?

Any reason why i should have a .bat file sent to me as an attachment?

Cheers, Philip (cant scan it at the moment)

 

[Philip]

Ok, its W32/Klez.h@MM Virus.

Dont open this or the .html page, this was sent anonymously using the address webmaster@p8ntballer.com, or somebody at PGI has a virus.

 

[Xenos]

wasn't sent to me

 

[Philip]

W32.Klez.E@mm is similar to W32.Klez.A@mm. It is a mass-mailing email worm that also attempts to copy itself to network shares. The worm uses random subject lines, message bodies, and attachment file names.

It also likes to open itself just by looking at the email, and attacks outlook, little *******, try http://www.microsoft.com/technet/security/bulletin/MS01-020.asp. and see if they have a patch for it.



The worm attempts to disable some common antivirus products and has a payload which fills files with all zeroes.



There ya go, worm for ya.

AKA: W32/Klez.e@MM [McAfee], WORM_KLEZ.E [Trend], Klez.E [F-Secure], W32/Klez-E [Sophos], Win32.Klez.E [CA], I-Worm.Klez.E [AVP]

It adds the value

Wink[random characters] %System%\Wink[random characters].exe

to the registry key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

or it creates the registry key

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Wink[random characters]

MOST OF THESE CAN BE DELETED BUT PLEASE DELETE THE KEY ONLY, NOT THE WHOLE FOLDER.

and inserts a value in that subkey so that the worm is executed when you start Windows. Mean lil bugger eh? Make sure you deklte the keys that it makes so it cant start up with windows boot, also look in win.ini next to load=

and(yes, more stuff), the worm has a payload. On the 6th of every odd numbered month (except January or July), the worm attempts to overwrite with zeroes files that have the extensions .txt, .htm, .html, .wab, .doc, .xls, .jpg, .cpp, .c, .pas, .mpg, .mpeg, .bak, or .mp3. If the month is January or July, this payload attempts to overwrite absolutly all files with zeroes

Oh, it also disables alot of common anti-vir proggies and recreates itself on your own .exe proggies.

The worm overwrites files and creates hidden copies of the originals. In addition, the worm drops the virus W32.Elkern.3587, which is similar to W32.ElKern.3326.

So be careful ladies and gents, my work is done

Most of these are safe to delete, but please delete the key, not the whole folder.

 

[Collier]

Alternativley don't open attachments without verifying their content!

Paul.

 

[Philip]

Originally posted by Paul_collier
Alternativley don't open attachments without verifying their content!

Paul.

And we all know that would make sense...so its not gonna work

Neomail dont let me do that And i cant be arsed setting up imp, it takes too long...