From
http://www.antivirus.com
Aliases: <
http://www.trendmicro.com/vinfo/virusencyclo/glossary.asp#aliases>
W32/Klez-G, I-Worm.Klez.h, I-Worm.W32/Klez.gen_at_MM, W32.Klez.H_at_mm
Description:
<
http://www.trendmicro.com/vinfo/virusencyclo/glossary.asp#description>
This memory-resident variant of the WORM_KLEZ.A
<
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?Vname=WORM_KLEZ.A>
mass-mailing worm uses SMTP to propagate via email. The subject line of
the email it arrives with is randomly selected from a list of possible
choices. See Tech Details
<
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_KLEZ.H&VSect=T>
for more information.
Upon execution, it drops files and creates an entry in the AutoRun key
of the system registry and then infects EXE files. It encrypts
(compresses) its target files and then modifies the file extension of
these with a random name. It also sets the attributes of its encrypted
files to Read-only, Hidden, System, and Archive. Thereafter, this worm
copies itself to the original filename of the infected file.
This worm makes sure that its filesize is the same as that of the
infected file. To do this, it pads garbage data at the end of the
infected file. It does not perform its Antivirus Retaliation routine on
machines running Windows NT 4.0 or lower. Windows NT 4.0 or lower do not
have system functions or the Application Program Interface (API) that
this worm uses to kill antivirus-related processes.
LD
Istanbul a écrit:
> Could someone please explain to me what exactly KLEZ *does* aside from
> replicate itself?
> All anyone has ever said is that it copies itself...which seems
> relatively innocuous, to be honest.
> (BTW, I apologize in advance for bringing this up.)
>
> ----- Original Message -----
> From: lord-dragon_at_enter-net.com <mailto:lord-dragon_at_enter-net.com>
> To: SkunkworksAMA_at_yahoogroups.com
> <mailto:SkunkworksAMA_at_yahoogroups.com>
> Sent: Friday, July 12, 2002 4:06 AM
> Subject: Re: [VIRUS ALERT] Re: [SkunkworksAMA] I thought some
> would like that already...
>
> Its the Klezz Worm, basicaly pick up radom adress you have in your
> e-mail thingy and send himself automaticaly with an autogenerated
> message
>
> go on http://www.antivirus.com to scan your pc and get rid of it
> you have it.
>
> Vermilion19_at_aol.com a écrit:
>
>> I just DL'ed this file and during the DL, a virus was piggybacked
>> to it. Delete it!
>>
>> Vermilion
>> Your use of Yahoo! Groups is subject to the Yahoo! Terms of
>> Service <http://docs.yahoo.com/info/terms/>.
>
>
>
>
> Your use of Yahoo! Groups is subject to the Yahoo! Terms of
> Service <http://docs.yahoo.com/info/terms/>.
>
>
> Yahoo! Groups Sponsor
> ADVERTISEMENT
> <http://rd.yahoo.com/M=228862.2128520.3581629.1829184/D=egroupweb/S=1705083764:HM/A=1155066/R=0/*http://adfarm.mediaplex.com/ad/ck/990-1736-1039-302>
>
>
>
> Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service
> <http://docs.yahoo.com/info/terms/>.
Received on Fri Jul 12 2002 - 10:54:20 CDT