W32.Klez.gen@mm virus and me - Diesel Forum

rheaman · 10-08-2002, 10:31 PM

Just got a polite pm from a member who said he was sent the W32.Klez.gen@mm virus on my behalf. He was very understanding. If anybody else is sent a simliar email, I didn't send the darn thing and no my computer isn't infected with it.
If you get the email from anyone and even if you have virus protection go here http://securityresponse.symantec.com...klez.h@mm.html and run the free program to make sure you don't have it on your computer. This lil rascal can disable your virus protection as well as use your compputer for a mail server.
Thanks and no hate mail please, I'm innocent, I swear!

Powerstroke2000 · 10-14-2002, 02:10 PM

Yeah, my Norton 2000 has caught many of these clever little virus's wanting to invade my space! Thankfully they get quarantined and deleted before they are opened.

Dale...

WillyP · 10-19-2002, 10:15 AM

I had the same mails.
This severe virus is pickup up your ID, remailing a former E-mail with you as sender, and is even making a fake IP-adress so the Internet Service provider cant trace it.

See the description below. I took that description and made a special signaure for those mails, easy to answer.
Klez-virus

The one I got is worse
UPDATE (2002-10-02 13:30 GMT)

The Anti-virus company F-Secure is upgrading the Bugbear/Tanatos e-mail worm to Level 1 as it continues to spread rapidly. Currently it is the most widespread virus in the world together with Klez.

For more information, see Global Bugbear worm Information Center:

BugBear

For removal instructions, see the bottom of the page.

TECHNICAL DETAILS

Bugbear is a mass-mailing and network worm with keylogging and backdoor capabilties. It appeared in the wild on 30th of September 2002. The worm's file is a PE EXE (portable executable), 50688 bytes long and it is compressed with UPX file compressor.

Infecting a System

When run, the worm copies itself to Windows System directory with a random name (JFMV.EXE for example) and adds a startup key for this file to the Registry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run Once]

It also drops a keylogging component as a DLL file with a randomly-generated name (ZLQPUPP.DLL for example) to Windows System folder. The worm also creates 2 more DLL files and stores some encrypted data there. The worm creates 2 randomly named DAT files in root Windows folder too.

E-mail Spreading

Bugbear spreads in e-mail messages as an attachment with randomly-generated names and with one or more extensions. Subjects and bodies of infected e-mails are also different. The mass-mailing routine is quite complex.

The worm has the ability to fake information in e-mail headers, so sometimes the sender's e-mail address gets replaced with another address that the worm finds on an infected system.

The worm's messages can contain IFrame exploit that allows it to run automatically on some computers when an infected e-mail is viewed (for example, with Outlook and IE 5.0 or 5.01). This vulnerability is fixed and a patch for it is available on Microsoft site:

http://www.microsoft.com/windows/ie/...ie/default.asp

spepin · 10-20-2002, 10:43 PM

I got it, but it wasn't from you -- it was from another member...

Steve.

Wildjon300ci · 10-21-2002, 10:47 PM

I recieved it about 3 months ago.....and it was too late when Norton detected it so I formatted the computer and started from scratch. (I was waiting to do that anyways) I don't use Outlook express, just too much hassel.