Achtung Virenwarnung!

[Bruce1962]

Hallo Leute!

Ich habe mir auf meinen Rechner vor drei Tagen einen üblen Virus über eine E-Mail eingefangen.

Dieser setzt sich im Computer fest und versendet, ohne dass man es merkt E-Mails.

Dabei nutzt er auch Messenger, wie ICQ oder Yahoo.

Habe heute erfahren, dass auch Leute vom Kampfkunstbord E-Mails von mir erhalten haben (Bruce1962....).

Öffnet die bitte nicht !!!

Für alle die bereits geöffnet haben....lasst mal schnell ein Virenprogramm drüber laufen.



Gruß

Bruce1962

[Fish]

kannste uns net genauere infos zu dem virus geben? vielleicht nen namen?

[jkdberlin]

Durch das blosse Öffnen einer Email ist das Ausführen eines Virusses cshon schwer, ausser man hat die Sicherheitseinstellungen seines Email Programms sehr heruntergeschraubt.
Interessant wäre es, zu erfahren, welchen Virus du hast und vielleicht verschickt hast. Erstmal: keine Panik!

Grüsse

[wt-cmw]

Also, Bruce, wenn Du nen Virus hast, geh erstmal nicht zum Training.
Am Ende steckst Du noch jemanden an...

Nix für ungut!

[kleiner Drachen]

Ich habe eine nette EMAIL von Dir erhalten. Hab Dir ja auch geschrieben.

Wegen dem kleinen Virus hat mein Computer eine Generalüberholung in Form eines Totalabsturzes bekommen.

Egal, ich bin ja wieder da!

Gruß

Lars

p.s.: A Virus can´t kill the Dragon!

[Bruce1962]

Na dummerweise hab ich auf den Anhang gedrückt

Etwas seltsam war, dass mein Virenprogramm (Norman) nicht reagiert hat.

Letzte Woche war die Welt noch in Ordnung und der Rechner virenfrei.

Gestern habe ich gefunden:

W32/Klez.H@mm
Win32Klez.@mm
Win32.SobigA@mm
Win32.Elkern.C
Win32.Worm.P2P.Sddrop.C
Win32.HLLW.Sddrop.D

Konnte alle entfernen. Leider waren bereits mehr als 100 Dateien beschädigt. Musste leider alles neu instalieren. Mich würde mal intressieren:

Welcher aus der o.g. Liste hat den Virenschutz gekillt?
Und welcher verschickt die E-Mails?


Gruß

Bruce1962

[Bruce1962]

Original geschrieben von kleiner Drachen
Ich habe eine nette EMAIL von Dir erhalten. Hab Dir ja auch geschrieben.

Wegen dem kleinen Virus hat mein Computer eine Generalüberholung in Form eines Totalabsturzes bekommen.

Tja

Noch mal sorry!


Gruß

Bruce1962

[jkdberlin]

Okay, here we go:

- Klez:

I-Worm.Klez
This is a worm virus spreading via the Internet being attached to infected emails. The worm itself is a Windows PE EXE file about 57-65Kb (depending of its version) of length, written in Microsoft Visual C++.

Infected messages have variable subjects and attachment names (see below). The worm makes use of a known Internet Explorer security breach (IFRAME vulnerability) to start automatically when an infected message is viewed.

In addition to spreading in local networks and through e-mail messages, the worm also creates a Windows EXE file with a random name starting from letter 'K' (i.e., KB180.exe) in temporary folder, writes the "Win32.Klez" virus in it, and launches the virus. The virus infects most of Win32 PE EXE files on all available computer's disks.
Startup
When an infected file is started, the worm copies itself to Windows system folder with the name "krn132.exe". Then it writes the following key to the registry to start automatically with Windows:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Krn132 = %System%\Krn132.exe
where %System% is the name of Windows system folder.

Then the virus searches for active applications (antiviruses, see the list below) and forces them to unload using Windows "TerminateProcess" command:

_AVP32, _AVPCC, _AVPM, ALERTSVC, AMON, AVP32, AVPCC, AVPM, N32SCANW, NAVAPSVC,
NAVAPW32, NAVLU32, NAVRUNR, NAVW32, NAVWNT, NOD32, NPSSVC, NRESQ32, NSCHED32,
NSCHEDNT, NSPLUGIN, SCAN, SMSS
Replication: e-mail
The worm uses the SMTP protocol to send e-mail messages. It finds e-mail addresses in WAB database and sends infected messages to these addresses.

The subject of the infected message is selected randomly from a list:

Hello
How are you?
Can you help me?
We want peace
Where will you go?
Congratulations!!!
Don't cry
Look at the pretty
Some advice on your shortcoming
Free XXX Pictures
A free hot porn site
Why don't you reply to me?
How about have dinner with me together?
Never kiss a stranger
The message text is the following:

I'm sorry to do so,but it's helpless to say sory.
I want a good job,I must support my parents.
Now you have seen my technical capabilities.
How much my year-salary now? NO more than $5,500.
What do you think of this fact?
Don't call my names,I have no hostility.
Can you help me?
Attached file: Win32 PE EXE file with random name, which has either ".exe" extension or double extension:

name.ext.exe
The worm selects the filename (name.ext) using original routine. It scans all available drives and finds there files with following filename extensions:

.txt .htm .doc .jpg .bmp .xls .cpp .html .mpg .mpeg
It uses one of the found filenames (name.ext) as the base name of the attachment, then it adds second extension ".exe". For example, "Ylhq.htm.exe", "If.xls.exe", etc.

The worm inserts its own "From:" field into infected messages. Depending of a random counter, it inserts there either a real e-mail address, or a fake randomly generated address.

An interesting feature of the worm is that before sending infected messages the worm writes the list of found e-mail addresses in its EXE file.

All strings in the worm's body (messages and addresses) are stored in encrypted state.
Replication: local and network drives
The worm enumerates all local drives and network resources with write access and makes there its copy with random name name.ext.exe (the name generation routine is similar to one which is used to generate attachment names). After copying itself to network resources the worm registers its copies on remote computers as system service applications.
Payload
On 13 days of even months the worm executes a payload routine, which fills all files on all available on victim computer disks with random content. These files can't be recovered and must be restored from a backup copy.
Other versions
There are several modifications of this worm. I-Worm.Klez.a-d are similar, and have minor differences.
Klez.e
Installation
The worm copies itself to Windows system directory with random name, which starts from "Wink", i.e., "Winkad.exe".
Infection
The worm searches several registry keys for links to applications:

Software\Microsoft\Windows\CurrentVersion\App Paths
Then, the worm tries to infect EXE applications that it found. When infecting an EXE, the worm creates a file with the same name and random extension and also hidden+system+readonly attributes. This file is used by the worm to run the original infected program. When the infected file is run, the worm extracts the original file to a temp file with original filename plus 'MP8' and runs it.

The worm infects RAR archives by copying itself to archives with a randomly generated name. The name of the infected file is selected from a list:

setup
install
demo
snoopy
picacu
kitty
play
rock
and has either one or two extensions, where the last one is ".exe", ".scr", ".pif" or ".bat".
Replication: e-mail
The subject of the infected message is either selected from the following list, or is generated randomly:

Hi,
Hello,
Re:
Fw:
how are you
let's be friends
darling
don't drink too much
your password
honey
some questions
please try again
welcome to my hometown
the Garden of Eden
introduction on ADSL
meeting notice
questionnaire
congratulations
sos!
japanese girl VS playboy
look,my beautiful girl friend
eager to see you
spice girls' vocal concert
Japanese lass' **** pictures
The worm also may construct following variants of Subject and Message text:

Subject: A %1 %2
%1 %2
Body: This is a %1 %2
%3 or %4
where %1, %2 and %3 are randomly (depending on content) selected from variants:

%1 %2
special WinXP game
new IE 6.0 website
funny W32.Elkern tool
nice W32.Klez patch
humour W32.Klez.E removal tools
excite
good
powful
%3 are lines:

This game is my first work.
You're the first player.
I wish you would enjoy it.
I hope you would enjoy it.
%4 contains strings like the following:

%5 give you the %1 removal tools
%1 is a dangerous virus that spread through email.
%1 is a very dangerous virus that can infect on Win98/Me/2000/XP.
For more information,please visit http://www.%5.com
where %5 is selected from variants:

Symantec, Mcafee, F-Secure, Sophos, Trendmicro, Kaspersky
The result may look as follows:

A special new game
This is a new game
This game is my first work.
You're the first player.
I wish you would enjoy it.
A very funny website
This is a funny website
I hope you would enjoy it.
A very powful tool
Hello,This is a powful tool
I hope you would enjoy it.
A IE 6.0 patch
Hello,This is a IE 6.0 patch
I hope you would enjoy it.
W32.Elkern removal tools
Kaspersky give you the very W32.Elkern removal tools
W32.Elkern is a very dangerous virus that can infect on
Win98/Me/2000/XP.
For more information,please visit http://www.Kaspersky.com
W32.Klez.E removal tools
W32.Klez.E is a dangerous virus that spread through email.
Kaspersky give you the W32.Klez.E removal tools
For more information,please visit http://www.Kaspersky.com
The body of the infected messages is either blank, or has randomly generated contents.

Attached file: Win32 PE EXE file with random name, which has either ".exe" extension or double extension.

The worm uses the IFrame security breach to launch automatically when an infected message is viewed.
Payload
On the 6th day of odd months the worm executes a payload routine, which fills all files on all available on victim computer local and network disks with random content. These files can't be recovered and must be restored from a backup copy.
Other
The worm scans for the active processes that contain the following strings, and terminates them:

Sircam
Nimda
CodeRed
WQKMM3878
GRIEF3878
Fun Loving Criminal
Norton
Mcafee
Antivir
Avconsol
F-STOPW
F-Secure
Sophos
virus
AVP Monitor
AVP Updates
InoculateIT
PC-cillin
Symantec
Trend Micro
F-PROT
NOD32
The worm randomly and depending on different conditions attaches to infected email randomly selected file from local disk (so, the message has two attached files - worm copy and additional file). The worm looks for following files to attach them:

.txt .htm .html .wab .asp .doc .rtf .xls .jpg .cpp .c .pas .mpg
.mpeg .bak .mp3 .pdf
As a result, the worm is able to send personal or confidential information out of the computer, and disclose it as a result.
Removal
Run the special removal utility "clrav.com"

Download here: clrav.com.
Klez.h
This variant of worm is very similar to "Klez.e". The differences are:

This variant has no payload and doesn't destroy files. There are more variants of infected messages Subjects and Bodies. Some of email messages have following Subject and Body:

Worm Klez.E immunity
Klez.E is the most common world-wide spreading worm.It's very dangerous
by corrupting your files.
Because of its very smart stealth and anti-anti-virus technic,most
common AV software can't detect or clean it.
We developed this free immunity tool to defeat the malicious virus.
You only need to run this tool once,and then Klez will never come into
your PC.
NOTE: Because this tool acts as a fake Klez to fool the real worm,some
AV monitor maybe cry when you run it.
If so,Ignore the warning,and select 'continue'.
If you have any question,please mail to me.
This worm also contains the text:

Win32 Klez V2.01 & Win32 Foroux V1.0
Copyright 2002,made in Asia
About Klez V2.01:
1,Main mission is to release the new baby PE virus,Win32 Foroux
2,No significant change.No bug fixed.No any payload.
About Win32 Foroux (plz keep the name,thanx)
1,Full compatible Win32 PE virus on Win9X/2K/NT/XP
2,With very interesting feature.Check it!
3,No any payload.No any optimization
4,Not bug free,because of a hurry work.No more than three weeks from
having such idea to accomplishing coding and testing
This worm looks for files with the following extensions:

.txt .htm .html .wab .asp .doc .rtf .xls .jpg .cpp .c .pas .mpg .mpeg .bak .mp3 .pdf

Depending on several conditions Klez.h attaches a file with one of the above listed extensions to infected emails (as the second attached file). As a result, confidential or personal information may be sent out and made public.

Removal
Run the special removal utility "clrav.com"

[jkdberlin]

-SobigA:

This is a worm virus spreading via the Internet being attached to infected emails. It also downloads and setups Backdoor program.

The worm itself is a Windows PE EXE file about 64 Kb of length (compressed by TeLock), Microsoft Visual C++.

The infected messages have the following properties:

From:
big@boss.com
Subject: (one of the following)
Re: Movies
Re: Sample
Re: Document
Re: Here is that sample
Attachment: (one of the following)
Movie_0074.mpeg.pif
Document003.pif
Untitled1.pif
Sample.pif
The worm activates from an infected email only in case a user clicks on attached file. The worm then installs itself to the system, runs spreading routine and payload.
Installing
While installing the worm copies itself to Windows directory with the name WINMGM32.EXE and registers that file in system registry auto-run key.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"WindowsMGM" = <windir>\winmgm32.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
"WindowsMGM" = <windir>\winmgm32.exe
Spreading via E-mail
To send infected messages the worm uses SMTP server. The worm looks for files *.WAB, *.DBX, *.HTM, *.HTML, *.EML, *.TXT scans them and gets the string with e-mails.
Spreading vie Local Network
The worm enumerates shares on the network, tries to copy itself to one of the following folders with the name WINMGM32.EXE.

Windows\All Users\Start Menu\Programs\StartUp\
Documents and Settings\All Users\Start Menu\Programs\Startup\
Setup of a backdoor program
The worm downloads a text file. This file contains the link the the executable PE file. The worm downloads it into the Windows directory with the name DWN.DAT and runs it.

The worm contains the text strings:

B.ROOT-SERVERS.NET A.ROOT-SERVERS.NET
a+ \ %s
big@boss.com
[A-Za-z0-9]+[A-Za-z0-9_.-]+@(([A-Za-z0-9\-])+[.])+[A-Za-z]+
*.* x:\ From <%s> "%s" To Subject Date %s %s %c%4.4d H:mm:ss ddd, d MMM yyyy Importance
Microsoft Outlook Express 6.00.2600.0000 X-Mailer Normal X-MSMail-Priority 3 (Normal)
X-Priority ; filename=" attachment inline Content-Disposition:
Content-Transfer-Encoding: %s ; name="%s" Content-Type: %s Content Type
application/octet-stream --%s --%s-- Content-ID: <%s> Content-Transfer-Encoding: ;
charset="%s" text/ Content-Type: -- --%s Content-Type: multipart/alternative;
boundary="%s" CSmtpMsgPart123X456_001_%8.8X %s This is a multipart
message in MIME format %s: %s Message-ID 1.0 MIME-Version " ;
boundary=" mixed alternative related multipart/
CSmtpMsgPart123X456_000_%8.8X Content-
Type = =%2.2X -;.,?! Encoding took %dms ... 7bit 8bit
quoted-printable base64 SMTP tcp text/plain iso-8859-1 QUIT
EHLO %s %s Password: Username: AUTH LOGIN MAIL FROM: <%s> RCPT TO: <%s>.
DATA http://www.geocities.com/reteras/reteral.txt 0 Hello Attached
file: Movie_0074.mpeg.pif Document003.pif Untitled1.pif Sample.pif Re:
Movies Re: Sample Re: Document Re: Here is that sample 2003.1.23
Ret code: %d sntmls.dat dwn.dat r Windows\All Users\Start
Menu\Programs\StartUp\ Documents and Settings\All Users\Start
Menu\Programs\Startup\ $\ @pager.icq.com mail@mail.com Notify
pager.icq.com start WindowsMGM
SOFTWARE\Microsoft\Windows\CurrentVersion\Run wab dbx htm html eml txt
Worm.X winmgm32.exe Worm.X

[jkdberlin]

ElkernC

It is a harmless encrypted resident parasitic Win32 virus.

It searches recursively for Win32 EXE applications (PE EXE files) with .SCR and .EXE extensions in the current directory, in fixed and network drives and all available network resources, and infects them.

The virus doesn't infect files if they have "tem32\dllcac" (part of "System32\dllcache") or "rary Inter" (part of "Temporary Internet Files") in their full path.

While infecting the virus writes itself to the file as separate blocks, similar to Win95.CIH infection routine.

The virus has a bug that may cause double infections. Despite on this infected files work without any problem.

The virus stays in memory, and infects all active processes that doesn't have "\explorer" in their name: it copies a part of its body into the process and then intercepts DispatchMessageA and DispatchMessageW functions. When one of these functions is called, the virus activates its copy in the current process.

The virus doesn't manifest itself in any way.

[Bruce1962]

Original geschrieben von wt-cmw
Also, Bruce, wenn Du nen Virus hast, geh erstmal nicht zum Training.
Am Ende steckst Du noch jemanden an...

Nix für ungut!

Von wegen!
Morgen ist wieder training angesagt*gg

[jkdberlin]

Die beiden anderen kenne ich nicht unterd iesem namen, konnte aber über die Stichworte zu beiden das finden:

Win32/HLLP.Hantaner.A is a virus spreading via infected files in P2P environment of KaZaA net. The virus is written in Delphi, and in order decreasing its length comprised by UPX. Comprised virus length is approximately 24 KB. Virus attacks computers with operating systems Windows 95/98/Me/NT/2000 and XP.

NOD32 detects the non-comprised version of Win32/HLLP.Hantaner.A virus as Win32/HLLP.Hantaner.A.unp.

After the infected file is run Win32/HLLP.Hantaner.A uses the system register for finding the directory where KaZaA saves downloaded files. It uses for this purpose the key HKEY_CURRENT_USER\Software\Kazaa\Transfer\Download Dir. Virus is also searching for the directory used by Internet Explorer browser for saving of downloaded files from Internet.. It accomplishes this using the key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download Directory.

It infects the files in above given directories placing its body at the beginning of those. The body of virus contains following text:

HANTA-Vjoiner ,si que lo hice yo, ErGrone/GEDZAC... eso va para los senoritos de PER, en especial a Machado, que no tiene la educación necesaria para responder un E-Mail. y para los que se enojaron con CPL, jeje, pa que ocupan Hotmail!!!, teniendo miles de mailbox gratis y con mas espacio. Falló la Heuristica y contra una técnica antigua JoJOjOO-Escrito en Delphi 6!

Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation.

The virus creates the file named tnKXfs.dat on the disk in the directory %windir%\TEMP.

NOD32 detects Win32/HLLP.Hantaner.A from version 1.335, and its non-comprised version Win32/HLLP.Hantaner.A.unp from 1.341.

[jkdberlin]

Die ersten Beschreibungen sind von Kaspersky AVP und die untere von Norman AV.

Tipp: AV Programm zusammen mit einer guten Firewall, die unsichere Anhänge erstmal sperrt und sie somit scannen lässt!

Grüsse

[Bruce1962]

@jkdberlin

Na dann erst mal danke!

Hab mir jetzt Norton professional bestellt.


Gruß

Bruce1962

[jkdberlin]

Zusammen mit der Norton Firewall ist Norton AV eine recht gute Lösung. Sie hat allerdings einige Macken bei der Installation anderer Programme, die in bestimmte Bereiche der Registry schreiben, also vor Installationen immer einen Registry-Backup machen!

Mein Laptop läuft damit, zusätzlich habe ich noch F-Prot for Windows auf meinem Laptop und PC zum Gegencheck.

Auf meinem PC läuft Zone Alarm Professional als Firewall und das gute alte Kaspersky AVP als zuverlässiger Virenwächter

Bisher hat mich damit noch keiner erwischt...

Grüsse