|
-
January 18th, 2002, 11:50 PM
#1
Virus Warning - Klez worm (Version 2)
Hi,
I got a virus warning and wanted to pass it on. This one is low risk but can do a lot of damage. Please read. Sincerely, Nancee
To Technical Professionals:
Please continue to DELETE all EMAIL messages that contain attachments ending in
EXE.
A new "version 2.0" variant of the Klez worm was discovered today. It is
currently not widespread and thus it is currently rated as "low risk".
Still, the innovative design of this virus is a significant concern, as just one
copy of this virus could result in significant damage. This is briefly
described as follows:
1. Klez.F is highly polymorphic (random subject/attachments that are unique
with each infection)
2. It has one of the most advanced designs seen to date. It is actually 2
viruses in one agent. The Klez component is the EMAIL transport mechanism
engine that carries the Elkern virus. Elkern is a low-level polymorphic cavity
infector with network spreading capabilities. It infects every EXE file on the
system.
3. It will copy itself to local, mapped, and network drives. In the right
setting, a network-aware virus can spread quickly and automatically to others
who attach to infected drives. This is why "one copy" of the virus can be
dangerous.
4. It is destructive. This worm will disable and delete Anti-Virus software.
The Klez component can set certain file lengths to zero. The Elkern component
can overwrite files with binary zeros destroying their contents.
5. It exploits Outlook vulnerabilities (Preview mode).
LINKS http://www.symantec.com/avcenter/[email protected] http://www.sophos.com/virusinfo/analyses/w32kleze.html http://www.f-secure.com/v-descs/klez.shtml
Subject of email: Random subject (there is no text in the EMAIL message)
Name of attachment: Random attachment with .exe extension
Vulnerabilities: EMAIL and Shared drives (infects shared and mapped drives)
Damage: Modifies files: On the 13th of every other month (starting with
January), makes files zero bytes in length)
Outlook EMAIL Recommendation: If the message is opened or previewed in an
unpatched version of Microsoft Outlook or Outlook Express, the attachment may be
automatically executed. Information about this vulnerability and a patch are
available at
http://www.microsoft.com/technet/sec...n/MS01-020.asp http://www.microsoft.com/technet/sec...n/MS01-027.asp
Thread Information
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
