mouseylovegirls wrote:
> Hi Guys =^_^=
Hi agains Mices
>
> The Mice squeaking here,
And the Dragon Roaring here (gah silly joke I know hehe)
> We were reading the postings and we saw
> this Klez virus thing and not to wanting appear to be dumb and stupid
> female mice we were wondering if you guys wouldn't mind answering a
> few questions, What the heck is it? And what does it do? and how do
> you stop it? and last but not least how do you recognize it if its
> been sent to you O_O Now I know you guys all know about this virus
> thingys but we don't so be patient with us please as were only little
> mice in a great big furry world after all. (Grin) So any help would
> be nice to the mice. Thank You.
>
> Lov Yah Char & Lynne The Mousey Love Girls XXXXXXXXXXXXXXXX
What is it
Basicaly the Klez is a Worm type virus that come in different Variant
from Klez.A to Klez "go figure" but the most common version right is now
the Klez H version (and its the most common over all other virus right
now to). It is know to be pretty destructive upon execution that happen
ever 16 of the month if I remember well.
Here a decent description (that will be better then if I try to explain
in my own words hehe) I found on the Trend Micro web site at
http://www.antivirus.com
This memory-resident variant of the WORM_KLEZ.A
<
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?Vname=WORM_KLEZ.A>
mass-mailing worm uses SMTP to propagate via email. The subject line of
the email it arrives with is randomly selected from a list of possible
choices. See Tech Details
<
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_KLEZ.H&VSect=T>
for more information.
Upon execution, it drops files and creates an entry in the AutoRun key
of the system registry and then infects EXE files. It encrypts
(compresses) its target files and then modifies the file extension of
these with a random name. It also sets the attributes of its encrypted
files to Read-only, Hidden, System, and Archive. Thereafter, this worm
copies itself to the original filename of the infected file.
This worm makes sure that its filesize is the same as that of the
infected file. To do this, it pads garbage data at the end of the
infected file. It does not perform its Antivirus Retaliation routine on
machines running Windows NT 4.0 or lower. Windows NT 4.0 or lower do not
have system functions or the Application Program Interface (API) that
this worm uses to kill antivirus-related processes.
Read more about these variant
<
http://www.antivirus.com/vinfo/security/klez_descrip.htm>
Solution:
<
http://www.antivirus.com/vinfo/virusencyclo/glossary.asp#solution>
Automatic Removal Instructions
Please download and run the fix_worm_klez_4.04.zip fix tool
<
http://www.antivirus.com/vinfo/security/fix_worm_klez_4.04.zip> . Trend
Micro requests that all users also download and read the
readme_worm_klez_4.04.txt
<
http://www.antivirus.com/vinfo/security/readme_worm_klez_4.04.txt> text
before using this tool.
Manual Removal Instructions
1. For Windows 95 systems:
* Restart your computer.
* Press the F8 key when you see the message, "Starting Windows
95."
2. For Windows 98/Me systems:
* Restart your computer.
* Press the Ctrl key until your Windows 98 startup menu appears.
* Choose the Safe Mode option then hit the Enter key.
3. For Windows XP systems:
* Restart your computer.
* When prompted, press the F8 key. If Windows XP Professional
starts without the "Press select operating system to start"
menu, restart your computer.
* Press F8 again after the Power-On Self Test is done.
* Choose the Safe Mode option from the Windows Advanced
Options Menu.
4. For Windows 2000 systems:
* Restart your computer.
* Press the F8 key, when you see the Starting Windows bar at
the bottom of the screen.
* Choose the Safe Mode option from the Windows 2000 Advanced
Options Menu.
5. Scan your system with Trend Micro antivirus and write down the
filenames of all files detected as WORM_KLEZ.H. These infected
files may be WINK*.EXE files. * is a random number of characters.
6. Click Start>Run, type Regedit then hit the Enter key.
7. In the left panel, double click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows
>CurrentVersion>Run
8. In the right panel, look for and then delete these registry
values. * is any random characters:
* "Wink*" = "%System%\Wink*.exe"
* "WQK" = "%System%\Wqk.exe"
9. In the left panel, double click the following:
HKEY_LOCAL_MACHINE>System>CurrentControl Set>Services
10. Under the Services key, look for and then delete this subkey:
Wink*
11. Close the Registry Editor.
12. Restart the system.
13. Scan your system with Trend Micro antivirus and delete all files
detected as WORM_KLEZ.H. To do this, Trend Micro customers must
download the latest pattern file
<
http://www.antivirus.com/download/pattern.asp> and scan their
system. Other email users may use HouseCall, Trend Micro's free
online virus scanner <
http://housecall.antivirus.com> .
14. Since this worm uses a vulnerability in HTTP-based email clients
like Microsoft Outlook and Outlook Express, please apply the
latest patches as follows:
* Update to Internet Explorer 5.01 SP2
<
http://www.microsoft.com/windows/ie/downloads/recommended/ie501sp2/default.asp>
* Update to IE 5.5 SP2
<
http://www.microsoft.com/windows/ie/downloads/recommended/ie55sp2/default.asp>
* Update to IE 6.0
<
http://www.microsoft.com/windows/ie/downloads/ie6/default.asp>
Take Care Mice its always a pleasure to hear from you two
LD
>
>
Received on Fri May 31 2002 - 16:23:00 CDT