|
W32.Klez.H@mm
is a modified variant of the worm W32.Klez.E@mm. This variant
is capable of spreading by email and network shares. It is
also capable of infecting files.
Damage:
- Payload:
This worm infects executables by creating a hidden copy
of the original host file and then overwriting the original
file with itself. The hidden copy is encrypted, but contains
no viral data. The name of the hidden file is the same as
the original file, but with a random extension.
- Large
scale e-mailing: This worm searches the Windows address
book, the ICQ* database, and local files for email addresses.
The worm sends an email message to these addresses with
itself as an attachment.
- Releases
confidential info:
Worm randomly chooses a file from the machine to send along
with the worm to recipients. So files with the extensions:
".mp8" or ".txt" or ".htm" or ".html" or ".wab" or ".asp"
or ".doc" or ".rtf" or ".xls" or ".jpg" or ".cpp" or ".pas"
or ".mpg" or ".mpeg" or ".bak" or ".mp3" or ".pdf" would
be attached to e-mail messages along with the viral attachment.
Email:
This worm searches the Windows address book, the ICQ database,
and local files for email addresses. The worm sends an email
message to these addresses with itself as an attachment. The
worm contains its own SMTP* engine and attempts to guess at
available SMTP servers. For example, if the worm encounters
the address user@abc123.com it will attempt to send email
via the server smtp.abc123.com.
The
subject line, message bodies, and attachment file names are
random. The From address is randomly-chosen from email addresses
that the worm finds on the infected computer. This means that
the contaminated email may not be from the address in the
"From" line.
The
worm will search files that have the following extensions
for email addresses:
- .mp8
-
.exe
- .scr
- .pif
- .bat
- .txt
-
.htm
- .html
-
.wab
-
.asp
-
.doc
- .rtf
- .xls
-
.jpg
-
.cpp
-
.pas
-
.mpg
- .mpeg
-
.bak
- .mp3
- .pdf
In
addition to the worm attachment, the worm also may attach
a random file from the computer. The file will have one of
the following extensions:
- .
mp8
- .txt
- .htm
- .html
-
.wab
- .asp
-
.doc
-
.rtf
-
.xls
-
.jpg
-
.cpp
-
.pas
-
.mpg
-
.mpeg
-
.bak
-
.mp3
-
.pdf
As
a result, the email message would have 2 attachments, the
first being the worm and the second being the randomly-selected
file.
The
email message that this worms sends is composed of "random"
strings. The subject can be one of the following:
- Undeliverable
mail--"[Random word]"
- Returned
mail--"[Random word]"
- a
[Random word] [Random word] game
- a
[Random word] [Random word] tool
- a
[Random word] [Random word] website
-
a [Random word] [Random word] patch
- [Random
word] removal tools
- how
are you let's be friends
- darling
- so
cool a flash, enjoy it
- your
password
- honey
- some
questions
- please
try again
- welcome
to my hometown
- the
Garden of Eden
- introduction
on ADSL
- meeting
notice
- questionnaire
- congratulations
- sos!
- japanese
girl VS playboy
- look,
my beautiful girl friend
-
eager to see you
- spice
girls' vocal concert
- japanese
lass' sexy pictures
The
random word will be one of the following:
- new
- funny
-
nice
-
humour
-
excite
-
good
- powful
-
WinXP IE 6.0
-
W32.Elkern
- W32.Klez.E
- Symantec
- Mcafee
-
F-Secure
-
Sophos
- Trendmicro
- Kaspersky
The
body of the email message is random.
Notes:
- Because
this worm uses a randomly chosen address that it finds on
an infected computer as the "From:" address, numerous cases
have been reported in which users of uninfected computers
received complaints that they sent an infected message to
someone else.
For example, Linda Anderson is using a computer that is
infected with W32.Klez.H@mm. Linda is not using a antivirus
program or does not have current virus definitions. When
W32.Klez.H@mm performs its emailing routine, it finds the
email address of Harold Logan. It inserts Harold's email
address into the "From:" portion of an infected message
that it then sends to Janet Bishop. Janet then contacts
Harold and complains that he sent her an infected message,
but when Harold scans his computer, Norton AntiVirus does
not find anything--as would be expected--because his computer
is not infected.
If you are using a current version of Norton AntiVirus and
have the most recent virus definitions, and a full system
scan with Norton AntiVirus set to scan all files does not
find anything, you can be confident that your computer is
not infected with this worm.
- There
have been several reports that, in some cases, if you receive
a message that the virus has sent using its own SMTP engine,
the message appears to be a "postmaster bounce message"
from your own domain. For example, if your email address
is jsmith@anyplace.com, you could receive a message that
appears to be from postmaster@anyplace.com, indicating that
you attempted to send email and the attempt failed. If this
is the false message that is sent by the virus, the attachment
includes the virus itself. Of course, such attachments should
not be opened.
If
you would like to learn more about this virus please see either
of the following sites: Symantec,
McAfee
MTP
Note: If you are running an Antivirus Program it is mandatory
that it be up to date or it will not catch the latest viruses
and your computer and/or network could be come infected.
*ICQ:
"I Seek You" - Communications network on the Internet. If
you like to know if your friends are surfing the Web right
now, ICQ does the searching for you, alerting you in real
time when your friends sign on. More information: http://www.icq.net.
*SMTP:
Simple Mail Transfer Protocol - Main protocol to send and
receive email between servers on the Internet
|
