Nasty virus out there. I've only received seven copies, today.

[Harvey]

You don't have to open any attachment to get this one. If you're not protected, looking at the e-mail is enough to bite you. This sucker is mean. It changes subject line with every transmission, and it grabs other names from the sender''s address book and places that name as the sender, so it does not appear to be from the same source.

This appears to be a VBS virus. Beyond keeping your AV software up to date, there is one other thing you can do -- Uninstall Windows Scripting Host.

The other name for Windows Scripting Host is Visual Basic Scripthosting -- VBS. Around 95% of all Windoze users will never encounter a need for it. Uninstalling it is easy, and it removes the mechanism these viruses use to do their dirty deed. This means, you can't get a VBS virus, even if the latest update for your AV software has not yet figured it out.

Here's a url with step-by-step instructions for doing it. This will take you to a selector for Win 95, 98, 2K and NT. For other versions, the slightly more techie way is to find the file, WSCRIPT.EXE, and delete it, or just rename it.

This is totally non-destructive. If you ever do need it, all that will happen is, you'll get an error message saying the system can't find it. If so, you have two options -- re-install it, which is just as easy as the uninstall, or find another application that does the same thing without Windows Scripting Host. The latter is obviously the preferred solution.

Good luck. 🙂

 

[minendo]

Thanks for the info Harvey. I have yet to see this one, but I am sure I'll be getting calls about it soon enough.

 

[DaiShan]

yeah, great thread, will keep a lookout for it!

 

[dexmanone]

Just disabled mine. thanks Harvey for the link, keep up the good work!

 

[Maggotry]

I just talked to a guy about 2 hours ago about that. He got the virus but was able to print the source code for it.

 

[Hexametaphosphate]

what does this thing do? I only ask cos I have a VBS prob..... almost all my media files are being renamed with .vbs at the end...... the mp3s it just seems to make a copy with that extension but I think that all my jpegs are gone..... sucks cos I have pictures from my two international trips......

could this be the virus?...... I'm sorry, but I don't really know what else it could be.... was just about to post a thread about my problem...

thanks,

-Hex..

 

[ogcaldwell]

good stuff buddy... thanks

 

[Harvey]

Hexametaphosphate -- That definitely sounds like virus activity. The first thing you should do is scan your drive with a known clean copy of your AV prog. Once you know your drive is clean, you can disable Windoze Script Hosting and see what happens. As I posted, the worst that can happen is, you'll get an error message saying the system can't find it. Then, it's up to you to find a replacement app or live with the risk.

The only program I ever encountered that needed it is the current version of A&TT World Net's setup program (ver. 6.2). I learned this when I was setting up a friend's account, and my fix was just to go back to their ver. 5.0, which I had on CD because it's the version downloaded when I first signed up with them. That was all it took. 🙂

I also phoned AT&T's tech support and politely chewed them a new a$$hole for the prog. I got a knowledgable tech who agreed and said he would pass my comments upstream.

 

[AreEss64]

If it's new, then Norton's updated for it.. new definition file out today, already grabbed it. Please don't send me a sample, I don't want to test it that badly. 😛

 

[PG]

You mean this one:

Date: 4/18/2002, Time: 13:01:48, paul on ENG06
The email attachment the.pif is infected with the W32.Klez.H@mm virus.
The file was quarantined.

Date: 4/18/2002, Time: 14:34:08, paul on ENG06
The email attachment rock.exe is infected with the W32.Klez.H@mm virus.
The file was quarantined.

Date: 4/19/2002, Time: 8:05:02, paul on ENG06
The email attachment DIF.scr is infected with the W32.Klez.H@mm virus.
The file was quarantined.

Date: 4/19/2002, Time: 8:05:26, paul on ENG06
The email attachment DIF.scr is infected with the W32.Klez.H@mm virus.
The file was quarantined.

Date: 4/19/2002, Time: 8:05:38, paul on ENG06
The email attachment A00-156.exe is infected with the W32.Klez.H@mm virus.
The file was quarantined.

Date: 4/19/2002, Time: 8:05:48, paul on ENG06
The email attachment DIF.pif is infected with the W32.Klez.H@mm virus.
The file was quarantined.

Date: 4/19/2002, Time: 8:06:02, paul on ENG06
The email attachment install.exe is infected with the W32.Klez.H@mm virus.
The file was quarantined.

Date: 4/19/2002, Time: 8:06:18, paul on ENG06
The email attachment DIF.pif is infected with the W32.Klez.H@mm virus.
The file was quarantined.

Date: 4/19/2002, Time: 8:06:26, paul on ENG06
The email attachment A00-170.exe is infected with the W32.Klez.H@mm virus.
The file was quarantined.

Date: 4/19/2002, Time: 8:06:46, paul on ENG06
The email attachment A00-161.pif is infected with the W32.Klez.H@mm virus.
The file was quarantined.

Date: 4/19/2002, Time: 8:06:56, paul on ENG06
The email attachment DIF.scr is infected with the W32.Klez.H@mm virus.
The file was quarantined.

Date: 4/19/2002, Time: 8:07:36, paul on ENG06
The email attachment DIF.exe is infected with the W32.Klez.H@mm virus.
The file was quarantined.

Date: 4/19/2002, Time: 20:00:00, paul on ENG06
Virus scan started.

Date: 4/20/2002, Time: 4:38:06, paul on ENG06
The email attachment DIF.pif is infected with the W32.Klez.gen@mm virus.
The file was deleted.

Date: 4/22/2002, Time: 1:45:26, paul on ENG06
The email attachment 98 .bat is infected with the W32.Klez.gen@mm virus.
The file was deleted.

-------------------


We got this a lot last week from people in our China factory. No, you don't need to open the attachment at all and it fakes who it's from. You need to open the header to see who really is sending it.

 

[RustyNale]

Thanks Harvey, so easy to be rid of it. Sweet.

 

[amdskip]

thx

 

[stockjock]

PG...did you get that list from my computer...because thats what I got too!!! Luckily my Norton AV caught it and quarantined it before it got bad. You know what too...most of it came from crappy spam mail that I replied back to the sender to remove my name from their list...this is how I got repaid!!!