Because some of you have had virus problems in the past. I thought I might update you occasionally on the latest ones. Email viruses are the worse!
Here is the latest ...
W32.Klez.H@mm
Discovered on: April 17, 2002
W32.Klez.H@mm is a modified variant of the worm W32.Klez.E@mm. This variant is capable of spreading via e-mail and network shares. It is also capable of infecting files.
Type: Worm
Number of infections: 0 - 49
Number of sites: 3 - 9
Geographical distribution: Medium
Threat containment: Moderate
Removal: Moderate
Distribution:
Subject of email: Random
Name of attachment: Random
Shared drives: Inserts copies of itself on shared drives
Technical details:
When this worm is executed, it copies itself to %System%\Wink[random characters].exe.
NOTE: %System% is a variable. The worm locates the Windows System folder (by default this is C:\Windows\System or C:\Winnt\System32) and copies itself to that location.
and inserts a value in that subkey so that the worm is executed when you start Windows.
The worm attempts to disable on-access virus scanners and some previously distributed worms (such as W32.Nimda and CodeRed) by stopping any active processes. The worm removes the startup registry keys used by antivirus products and deletes checksum database files including:
Local and Network Drive copying:
The worm copies itself to local, mapped, and network drives as:
A random file name with a double extension. For example, filename.txt.exe.
A .rar archive with a double extension. For example, filename.txt.rar.
Email:
This worm searches the Windows address book, the ICQ database, and local files for email addresses. The worm sends an email message to these addresses with itself as an attachment. The worm contains its own SMTP engine and attempts to guess at available SMTP servers.
The subject line, message bodies, and attachment file names are random. The from address is randomly chosen from email addresses that the worm finds on the infected computer.
The worm will search files with the following extensions for email addresses:
.exe
.scr
.pif
.bat
.txt
.htm
.html
.wab
.asp
.doc
.rtf
.xls
.jpg
.cpp
.pas
.mpg
.mpeg
.bak
.mp3
.pdf
The worm Email message that this worms sends is composed of "random" strings.
The subjectline can be as follows:
Undeliverable mail--"[Random word]"
Returned mail--"[Random word]"
a [Random word] [Random word] game
a [Random word] [Random word] tool
a [Random word] [Random word] website
a [Random word] [Random word] patch
[Random word] removal tools
how are you
let's be friends
darling
so cool a flash,enjoy it
your password
honey
some questions
please try again
welcome to my hometown
the Garden of Eden
introduction on ADSL
meeting notice
questionnaire
congratulations
sos!
japanese girl VS playboy
look,my beautiful girl friend
eager to see you
spice girls' vocal concert
japanese lass' sexy pictures
The random word will be one of the following:
new
funny
nice
humour
excite
good
powful
WinXP
IE 6.0
W32.Elkern
W32.Klez.E
Symantec
Mcafee
F-Secure
Sophos
Trendmicro
Kaspersky
The body of the email message is random.
Infection:
The worm also infects executables by creating a hidden copy of the original host file and then overwriting the original file with itself. The hidden copy is encrypted, but contains no viral data. The name of the hidden file is the same as the original file, but with a random extension.
Virus Insertion:
This worm inserts the virus W32.Elkern as a file with a random name in the "Program Files" folder and executes it.
NOTE: The worm gets the name of the Program Files folder. By default, on English systems, it's C:\Program Files\
This message has been edited by GRFleming on Apr 27, 2002 10:18 PM