Klez.E virus?

Slickone

Diamond Member
Dec 31, 1999
6,120
0
0
As I was downloading email, NAV 2002 (DAT up to date) found a virus in one of my emails (it doesnt tell which one). I think it was the following one. This isn't legit, is it?



<< From: victorumnitz <victorumnitz@hotmail.com>

Klez.E is the most common world-wide spreading worm.It's very dangerous by corrupting your files.
Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it.
We developed this free immunity tool to defeat the malicious virus.
You only need to run this tool once,and then Klez will never come into your PC.
NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV monitor maybe cry when you run it.
If so,Ignore the warning,and select 'continue'.
If you have any question,please mail to me.
>>



NAV quaranteed the file, which was Please.scr, and the virus was W95.CIH.
I'm using Netscape Messenger.

So everything's cool, right?

 

CraigRT

Lifer
Jun 16, 2000
31,440
5
0
Baaaad idea to open that
delete it right away and u should be fine
i had about 10 of those come to my mailbox today at work.. blah. pretty widesprread virus i must say...
 

arod

Diamond Member
Sep 26, 2000
4,236
0
76
CIH is a nasty virus... There is a very specific way that you have to remove it.. I had to take it off somebodys computer and I had to boot into dos and disable it because it attacked the virus program itself. I cant remember too mach more because its been a year or so since I did that.
 

Slickone

Diamond Member
Dec 31, 1999
6,120
0
0
But NAV popped up before I opened it! NAV found it and quarantine it as I was downloading email, before I even read the message. And I never did execute the attachment.
So didn't NAV get rid of it?
 

YaKuZa

Senior member
Aug 26, 2000
995
0
0
If you have email scanning enabled then NAV scans all emails before they are previewed. I got the same virus today. NAV caught it and I deleted it. Anybody know how to tell which account I got the virus from? I use multiple pop accounts with Outlook Express and I'm not sure which email address got the virus because NAV deleted the file before I could check. Thanks.
 

Russ

Lifer
Oct 9, 1999
21,093
3
0
Six sent to me today. Never even made it to my local drive, since I have my eMail client setup to leave attachments on the server until I decide to download or delete.

One of my customers got nailed with it Monday, though. No matter how many times you tell people NOT to open these attachments, they still do.

Russ, NCNE
 

Harvey

Administrator<br>Elite Member
Oct 9, 1999
35,052
30
86
I think that's the one I posted about, the other day. Here's a repost of the info.

* * *

You don't have to open any attachment to get this one. If you're not protected, looking at the e-mail is enough to bite you. This sucker is mean. It changes subject line with every transmission, and it grabs other names from the sender''s address book and places that name as the sender, so it does not appear to be from the same source.

This appears to be a VBS virus. Beyond keeping your AV software up to date, there is one other thing you can do -- Uninstall Windows Scripting Host.

The other name for Windows Scripting Host is Visual Basic Scripthosting -- VBS. Around 95% of all Windoze users will never encounter a need for it. Uninstalling it is easy, and it removes the mechanism these viruses use to do their dirty deed. This means, you can't get a VBS virus, even if the latest update for your AV software has not yet figured it out.

Here's a url with step-by-step instructions for doing it. This will take you to a selector for Win 95, 98, 2K and NT. For other versions, the slightly more techie way is to find the file, WSCRIPT.EXE, and delete it, or just rename it.

This is totally non-destructive. If you ever do need it, all that will happen is, you'll get an error message saying the system can't find it. If so, you have two options -- re-install it, which is just as easy as the uninstall, or find another application that does the same thing without Windows Scripting Host. The latter is obviously the preferred solution.

Good luck. :)
 

MacBaine

Banned
Aug 23, 2001
9,999
0
0
My mom got the virus from one of her friends the other day, and I spent about 3 hours removing it... It's REALLY annoying. It gets into your address book and sends out emails to all your friends, but changes the From line to make it look like people they know. And with it came about 5 more emails with attachments claiming to be anti-virus utils. Makes me mad... :|
 

Balt

Lifer
Mar 12, 2000
12,674
482
126
This was the first virus I've ever received via e-mail (or any other method, for that matter). If you aren't patched up this sucker will run without even opening an attachment. I right-clicked to delete the e-mail and a dialog box immediately popped up asking me if I wanted to save it or run it. :frown:

Edit: The Klez.E that is, not the 'protection' virus. ;)
 

MacBaine

Banned
Aug 23, 2001
9,999
0
0
I use AVG, and you have to get the latest patch from them (like 513 or something) which just came out recently, or else it won't detect it. I kept mine updated and it still didn't catch it.
 

Blayze

Diamond Member
Feb 22, 2000
6,152
0
0
does anyone know if the free version of AVG will detect/remove this virus?

I have that running on one of my systems and Norton on another.
 

gypsyman

Senior member
Jan 14, 2001
674
9
81
I got this W32KLEZ.gen@mm also. I have not had a virus for almost a year. Now in the last 2 days, I am getting 3-4 emails a day in each of our 3 email boxes (outlook express). Norton 2002 AV has caught and quatenteened them all. There are various senders such as tinman14 and Karen34589 etc. Some files are and.scr, snoopy.exe and lgen.exe. I was thinking of blocking them in OE but all you see is the first part of the sender address not the @part. Anyway OE only sends blocked messages to the delete folder and Norton will continue to catch them and interupt the mail download till each item is quarenteened and deleted. If these keep coming (2 days now) will I have to create new email addresses or switch to a different mail viewer or is there a block at the source with my ISP. Any help appreciated. Thanks
 

bsobel

Moderator Emeritus<br>Elite Member
Dec 9, 2001
13,346
0
0
> No matter how many times you tell people NOT to open these attachments, they still do.

Klez auto launches in many cases without the user double clicking on the attachment (thank you Outlook).

As far as the original poster, yes, NAV took care of it, your fine.

Bill
 

gypsyman

Senior member
Jan 14, 2001
674
9
81
Hello bsobel, I did not open them. The virus has not activated because no attachment file was opened. My pc is only 2 mos old and I have run all the instant updates from MS. I have IE 6 and NAV 2002 so all patches from MS are current and so is AV. Can you offer any advice as to if they will keep coming or how to defeat that at the ISP level so it never has to be quarentined in the first place? Thanks.
 

Harvey

Administrator<br>Elite Member
Oct 9, 1999
35,052
30
86
Norton's home page has some info on Klez. Do a search to find more. They do not say their latest update stops it, but they offer a free removal tool download.

Or, you could just read my previous post in this thread about unistalling Windoze Scripting Host. By definition, all AV programs are reactive. That is, they don't write the patch or any trap for the parameters of a new virus until it somebody gets it and identifies it. Uninstalling WSH is proactive. It uninstalls the specific mechanism VBS viruses use to do their dirty deeds. Switching to NS, Mozilla or Opera and using another mail program will also help.

Here's more info from Computer Associates.

Windows is a virus with mouse support. :|
 

bsobel

Moderator Emeritus<br>Elite Member
Dec 9, 2001
13,346
0
0
> gypsyman Can you offer any advice as to if they will keep coming or how to defeat that at the ISP level so it never has to be quarentined in the first place?

Your ISP would need to be running AV software to scan your mail. I do that, for example, on my mail server (www.vipmail.com). But it's really upto the ISP to decide to do it.

> Harvey They do not say their latest update stops

Yes we do stop it, and we say it right on the page you linked.

> By definition, all AV programs are reactive

NAV2002 includes the script blocking which I referenced in your other thread about this. That is proactive, not reactive, as it does not allow unknown attacks from accessing the system.

Bill

 

Harvey

Administrator<br>Elite Member
Oct 9, 1999
35,052
30
86
Bill -- I take it you work for Norton/Symantec. I just went back to the page, and the only text I found was:

"Security Response: W32.Klez.gen@mm W32.Klez.gen@mm is a mass-mailing worm that will send itself to all email addresses in the Microsoft Outlook Address Book.

The subject and attachment name of incoming emails are randomly chosen. The attachment will have one of the following extensions: .bat, .exe, .pif or .scr.

The worm may include a virus that will destroy all files on the 13th of March and September."

Here's a link to the removal tool on their site. :)
 

gypsyman

Senior member
Jan 14, 2001
674
9
81
Well I just keep getting these. Got 2 more in the last hour. I called my ISP. They said that their tech support is being swamped with calls on this. Many of their clients are getting it. My ISP said that they are going to get a filter put in by Sunday or Monday. I will just count on NAV to keep catching them till then. Thanks for everyones help.. :)
 

bsobel

Moderator Emeritus<br>Elite Member
Dec 9, 2001
13,346
0
0
> Bill -- I take it you work for Norton/Symantec. I just went back to the page, and the only text I found was:

Harvey; First, yes, I work for Symantec. Sorry, I guess that page isn't as clear as I thought it was. The page says 'virus definitions available', that is supposed to indicate that we can find/stop it. If you follow the critical information link you'll see we've detected it back since November (slow burner, it's been hitting everything lately).

> Radical and permanent fix for all your Outlook Express virus problems!

Russ; :)