Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
VIRUS ALERT!! (here we go again)
Options
-
06-06-2002 2:53am#1People,
At around 6:30pm on Wednesday the 5th of June (yesterday), I received some mail from a person unknown to my iol.ie mail account. Since I was using Outlook as a mail client, I didn't have much time to notice who the mail was from, before it was opened. All of a sudden I noticed the mail was blank, and then a file download dialog appeared, the progress bar quickly flashed from start to finish, and then the dialog diasspeared (this all happened in about 1 sec). At that point I knew the **** was about to hit the fan.
I deleted the mail (too late, I know). I paused for a moment to see if my HD was going mad, or any instant damage was being done. Nothing else happened, so I continued about my business. I went to burn a CD and for the first time in about a year the burn failed at about 50% due to a buffer underrun. I noticed HD activity had increased. So being pissed off, I turned off my PC, and left it alone for a while. When I returned, I went online, and checked my mail. I had 8 new mails in just over two hours. Here's the interesting part. All the new mail's were from people's mail service saying that person X or company Y could not accept email from you for various reasons. I hadn't sent any of those people mail. I had a quick look at the returned message, and in each case an executable, of different names, and file extension were being sent from my account. The subject like was very well done, because in one instance it sent some mail to freewarehome (a free software/shareware site I frequent), with the subject like set to: A new utility you might be interested in!
How the hell did it know that freewarehome was a shareware site.
At this point I thought I should delete the contents of my address book, just in case it would try and attack anybody in there (probably too late, I know). So I gave one of my mates a ring (who was in my address book earlier), he was on his way up to my gaff, and while here, checked his hotmail account for anything suspicious. @ around 7pm a mail was sent from his work account to his hotmail account. He didn't send this mail, and it beared the same characteristics as my ba$tard child received only mins earlier.
So in the panic, I went to install a virus scanner (don't all shout at me at once
). I didn't have one installed coz I am only after a fresh dual boot OS install, and hadn't time to complete my essential software installs. The scanner software has failed to install, and many occasions this evening. Shiiiiiiiiiiiiiiiiite 
Anyway, bugger all it could do without the latest sigs.
So in a state of anger, I am determined to catch this fukker, and sort it out. Coz I'm not one to stand back and watch some mallicious piece of software ruin my life (being a software developer and all).
So here is some info I have gathered, that might help you track the fukker.
I am running Win98SE, and have noticed the following
When I call msconfig/Startup tab I can see a program called Winkozl.exe in my C:\Windows\System directory. This file has all attribs set (Hidden, System, Read-only), bloody typical. I have never seen this file before. If I try and remove (uncheck) it from msconfig/Startup, the next time I boot, another entry will have been inserted, and it of course checked/enabled.
The next piece of info, is when you call up task manager (Ctrl+Alt+Del), I see a filename (of type exe) that is different each time I boot. I have noticed the filename is alpha-numeric, and is of 6 characters in length. While it is in your task list, it can be found in C:\Program Files. When you kill this program in the task manager, it dissapears from C:\Program Files. An example of it's filename was Uy22b0.exe.
Other info includes
My HD activity increases when I go online (initially)
My HD free space remains the same
When online the bytes sent, is moving around 2-3 times faster than the bytes received. Which is usually the other way around. And no I'm not sending that much request infomation, or running file sharing software.
Just there a few mins before I sent this mail, I recieved the same virus again from someone else, with their display name cteieknel and the Subject of the mail May 9 2002 17.
Anyway that's all my news for now. I know a couple of people up here in Galway with this virus, I'm sure many more will know about it, in the next day or two. Perhaps we should start an angry mob, and track down the fukker, who wrote this. Coz do you know what is really bugging me, I don't actually know as of yet what dammage the program is doing to MY system, let alone multiplying by mail.
;-phobos-(0
Comments
-
-
-
-
-
-
Advertisement
-
-
-
/me starts Live Update.
Large scale e-mailing: This worm searches the Windows address book, the ICQ database, and local files for email addresses. The worm sends an email message to these addresses with itself as an attachment.
Releases confidential info: Worm randomly chooses a file from the machine to send along with the worm to recipients. So files with the extensions: ".mp8" or ".txt" or ".htm" or ".html" or ".wab" or ".asp" or ".doc" or ".rtf" or ".xls" or ".jpg" or ".cpp" or ".pas" or ".mpg" or ".mpeg" or ".bak" or ".mp3" or ".pdf" would be attached to e-mail messages along with the viral attachment.
Humm. Nasty
He, He, He:
The email message that this worms sends is composed of "random" strings. The subject can be one of the following:
...
introduction on ADSL
It knows our weakness
0 -
hmm seems the hole this particular virus uses has been addressed (albeit only a month ago)...
http://www.microsoft.com/windows/ie/downloads/critical/Q321232/default.asp
always a very good idea to keep both your operating system and anti-virus software as up to date as possible.
I'd suggest downloading the above immediately, and make sure anyone else you know who isn't aware of it does likewise (especially those not running AV software)..
0 -
I just booted my machine for the first time today a few mins ago. I am noticing some serious processing blocks to the input buffers (ie from keyboard) every few seconds. I can keep typing, but what I am typing might not appear on screen for a second or two.
Also I said that a random file (.exe) is placed in my Program Files dir, and stays there while the program is redident in memory. Well today I have noticed two other files called desktop.ini, and folder.htt (hypertext template).
This virus is obviously only attacking MS OS's. Coz I have linux in my box also, and everything is working fine there. Also WRT my I/O over my connection, take a look at this, and take in to consideration how long I'm online
I'm surpirsed many of ye haven't gotten this thing yet, coz I have received it many times from sources unknown over the past 24 hours.
I just got a mail a few seconds ago, and the subject was W32.Klez.E removal tools. It has an attachment, but I didn't ask anyone for this utility, so I can assume it's just the virus doing what it does best.
As of now, what I would like to know is if it is a bootsector virus (ie if I formatted my drive could I get rid of it). Is it the .E or .H variation of W32.Klez?
Keep us posted
;-phobos-(0 -
Advertisement
-
-
Right,
Cheers for that info lads, I got a scanner installed, and I can confirm that the virus was called Worm/Klez.E
It had infected 13 executables on my machine within the last 24 hours (including quake3.exe, the ba$tard :mad:, and MSDev.exe, but left javac.exe alone (gwan Java) )
McAfee's site give's good info on it. Link posted above by ToxicPaddy (cheers for that m8)
It doesn't seem to have any bootsector tendencies, but it has left some applications on my machine in a bit of a state. It didn't seem to harm any core OS files. But I wouldn't tempt fate by waiting for it to do some damage.
Also, what seems to annoy me is that, I've gotten rid of the virus, but that doesn't mean that the virus will stop sending itself to my account. I could disable the account, but it's one I use regularly. I wouldn't worry to much, because it's been a hectic 24 hours, and I have learned a fair bit about this nasty bugger, so I will if it tries to invade my box again :cool:
;-phobos-)0 -
-
-
Klez is really really nasty, i got 5 or 6 emails from strangers into an account in the space of 3-4 hours all in the same day like. They all tried to run themselves when opened but my AV caught them. Funnily enough i havent got one since. Klez is really doing the rounds. Just keep everything updated at by at least checking windows update and your av's site once a week like kali said. 0
-
Got the little bastard on one of the machines in work a few days ago. Luckily it wasn't able to disable the AV software, probably because it was a non-administrative account on an XP machine (never use your Admin account for general use, folks ), but unfortunately the guy who set up the PC had forgotten to enable the auto-protect feature. It messed the machine up good - files with double extensions all over the place, a zip disk that was left in the PC got infected, network shares suddenly became unusable, machine slowed noticeably. Luckily I was able to reimage the PC straight away and none of the other computers on the network had open shares (something I learnt to avoid after Nimda...) so it was an isolated and quickly dealt-with incident.
I haven't actually got an email containing the virus yet though.0 -
-
-
Advertisement