Thema: Wurm Klez aktiv
Einzelnen Beitrag anzeigen
  #1  
Alt 24.02.2002, 23:21
Benutzerbild von mh
mh mh ist offline
registrierter Besucher
Foren-Stammgast 1000
  
Registriert seit: 31.10.2000
Beiträge: 1.010
mh ist zur Zeit noch ein unbeschriebenes Blatt (Renommeepunkte ungefähr beim Startwert +20)
Wurm Klez aktiv
In meinem erweiterten Bekanntenkreis gab es heute Abend ca. 20 Fälle einer Infektion mit dem Wurm Klez

Hier eine Beschreibung

W32/Klez-E
Aliases
W32/Klez@mm

Type
Win32 worm



Description
W32/Klez-E is a Win32 worm that carries a compressed copy of the W32/ElKern-B virus, which it drops and executes when the worm is run.

This worm searches for email address entries in the Windows address book but uses its own mailing routine.

The email will have the following characteristics:

Subject line: either random or chosen from the list

How are you
Let's be friends
Darling
Don't drink too much
Your password
Honey
Some questions
Please try again
Welcome to my hometown
the Garden of Eden
introduction on ADSL
Meeting notice
Questionnaire
Congratulations
Sos!
japanese girl VS playboy
Look,my beautiful girl friend
Eager to see you
Spice girls' vocal concert
Japanese lass' sexy pictures

Message text: Message text is randomly composed by the worm but the message can also be without a text.

Attached file: Randomly named with extension .PIF, .SCR, .EXE or .BAT.

The sender address which appears in a message is chosen from a list inside the worm.

W32/Klez-E attempts to disable several anti-virus products and delete some anti-virus related files.

The worm attempts to exploit a MIME vulnerability in some versions of Microsoft Outlook, Microsoft Outlook Express, and Internet Explorer to allow the executable file to run automatically without the user double-clicking on the attachment. Microsoft has issued a patch which secures against this vulnerability which can be downloaded from http://www.microsoft.com/technet/sec.../MS01-027.asp.
(This patch fixes a number of vulnerabilities in Microsoft's software, including the one exploited by this worm.)

W32/Klez-E may also spread to remote shares on other machines using random filenames.

It copies itself to the Windows System directory with a random filename. The worm will set the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ to point to the worm file, so that the file is run on Windows startup.


Ein aktueller Virenscanner schlägt Klez zurück.

Achtung Klez kann sich auch über ICQ verbreiten.
Mit Zitat antworten