Help with W32@Klez.eml worm

[Goi]

Hi guys,
lately I've been having a problem with this particular worm. It doesn't do any corruption or anything, which is why I've been ignoring it for a while, but McAfee Virus Scan 6.02(with the latest DAT files)keeps picking it up whenever I check my mail via Eudora. It shows up as a file called "temp.in" in Eudora\spools folder, but it cannot be deleted or cleaned when I'm checking my mail as Eudora is accessing it, and after my mail is checked the file goes away, so I have no idea how to clean it. I did a search on the web on this worm and it says that the symptoms include a file called "krm132.exe" in my Windows System folder, but I couldn't find such a file anywhere in my 4 HDD partitions. All the websites I went to pertaining to this worm didn't show any method of solving it except running the Virus software with the latest virus definitions. Well I did that and VirusScan didn't come up with anything. Please don't suggest using NAV or other virus software. I sincerely don't think it'd make a difference.

I'm using Windows 2000 Pro SP2 btw. Thanks!

 

[gsaldivar]

Have you tried manually removing the registry entries?

 

[Goi]

Well, the problem with that is that I can't find those registry entries in my Windows registry. Since I'm using Windows 2000, I tried looking at

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run\Krn132=C:\WINDOWS\SYSTEM\krn132.exe

and

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run\WQK=C:\WINDOWS\SYSTEM\WQK.EXE

as well as the WinNT equivalent, but couldn't find the key. In any case, I also couldn't find krn132.exe or WQK.EXE on my HDD in any of my partitions.

 

[Goi]

^Bump^

 

[holycow]

have you tried to uninstall eudora, remove temp.in manually, run virus scan then reinstall eudora?
hope this helps. backup your mail before you uninstall eudora.

 

[Goi]

I haven't tried uninstalling Eudora, but the problem with temp.in is that it doesn't exist in that particular directory(Eudora\spool) normally. It only exists when I check the mail, and once the mail checking is done its gone. While I check the mail that file is accessed, which is why I can't delete it. It is created, accessed and deleted dynamically while I check my mail, so I have no way of deleting it whatsoever.

Also, I don't know why, but I've got a hunch that its got something to do with my mailbox, especially my inbox. If that's the case, then uninstalling Eudora would have no effect if I reinstall it and restored my inbox to preserve my mail.

Running VirusScan on its own, with Eudora Pro installed, doesn't produce any results. VirusScan doesn't find any infected files at all.

Maybe I should check my hunch and rename my inbox and toc files for a week or 2 and see if I still get the VShield popups...

 

[Goi]

Anyone else? I tried checking my mail using another computer with Outlook Express and NAV installed. I just configured Outlook with my mail account info and checked my mail and then NAV popped up saying it detected the same Klez worm/virus...so what's up with that? Seems like people are sending me the worm?

 

[thEnEuRoMancER]

I've been having some problems with W32.Klez.E@mm worm lately. The worm extracts the addresses from infected computer's contact book and distributes itself to them (and also to addresses it finds in internet cache). However, it is also capable of spoofing the sender. For example: person A is infected. Person A has person B in the contact book. Infected mail is sent to person C from A's computer with B specified as sender. C's mail server rejects the infected mail and sends virus notification to person B, not person A.
Well, I'm playing the role of person B for a week now, getting rejected emails all the time.

If you're getting any messages of rejection from mail servers like I do, you can check the information provided in the messages. Some mail servers will specify the real IP of the sender (i.e. of person A) somewhere in the body of the message. You can then reverse lookup the IP to determine the ISP hosting the infected computer and complain to the administrator about the worm problem.

 

[CTweak]

That's the exact problem I am having right now! I keep getting 'bounced' email messages as if I am mailing the virus out and I'm not. (I use Eudora, my scans are clean, and I've checked the registry) I must be 'person B' then.

 

[bsobel]

> Please don't suggest using NAV or other virus software. I sincerely don't think it'd make a difference.

Actually it does, and NAV would make a difference As for your case, sounds like McAfee is picking it up from something left over in your mail spool. It doesn't sound like your infected, so you should be able to safely ignroe this.

Bill

 

[NOX]

NAV 2002 has actually stopped this virus a few times for me. I was downloading (via outlook) my mail from my isp's server when NAV 02 advised me I had infected mail, I was able to find out from who the mail came from, it was a friend who wasn't infected, but passed on the mail to me.

NAV was able to identify the virus, and log it, I was then able to send that log to my friends isp, they were able to track it, and notify others who may have been infected. Only on their network however.