簡介
Due to an increased rate of submissions, Symantec Security Response is upgrading the threat level for W32.Klez.E@mm from level 2 to level 3 as of March 6, 2002.
W32.Klez.E@mm is similar to W32.Klez.A@mm. It is a mass-mailing email worm that also attempts to copy itself to network shares. The worm uses random subject lines, message bodies, and attachment file names.
The worm exploits a vulnerability in Microsoft Outlook and Outlook Express in an attempt to execute itself when you open or even preview the message in which it is contained. Information and a patch for the vulnerability are available at http://www.microsoft.com/technet/security/bulletin/MS01-020.asp.
The worm overwrites files and creates hidden copies of the originals. In addition, the worm drops the virus W32.Elkern.3587, which is similar to W32.ElKern.3326.
The worm attempts to disable some common antivirus products and has a payload which fills files with all zeroes.
Removal tool
Symantec has provided a tool to remove infections of all known variants of W32.Klez and W32.ElKern. Click here to obtain the tool.
This is the easiest way to remove these threats and should be tried first.
Note on W32.Klez.gen@mm detections:
W32.Klez.gen@mm is a generic detection that detects variants of W32.Klez. Computers that are infected with W32.Klez.gen@mm have most likely been exposed to either W32.Klez.E@mm or W32.Klez.H@mm. If your computer is detected as infected with W32.Klez.gen@mm, download and run the tool. In most cases, the tool will be able to remove the infection.
It has been reported that W32.Klez.E@mm may arrive in the following email message promoting a Symantec removal tool. Symantec never sends unsolicited email; the attachment should be deleted.
Subject: W32.Elkern removal tools
Message:
Symantec give you the W32.Elkern removaltools. W32.Elkern is a dangerous virus that can infect on Win98/Me/2000/XP.
For more information,please visit http:/ /www.Symantec.com
Attachment: Install.exe
For information about how Klez affects a Macintosh computer, read the document Are Macintoshes affected by the Klez virus?
防護
* 病毒定義(每周 LiveUpdate™) 2002 年 1 月 23 日
* 病毒定義(智慧型更新程式) 2002 年 1 月 17 日
威脅評估
廣度
* 廣度級別: Medium
* 感染數量: More than 1000
* 站點數量: More than 10
* 地理位置分布: Medium
* 威脅抑制: Moderate
* 清除: Moderate
損壞
* 損壞級別: Medium
* 有效負載觸發器: The 6th of every odd numbered month (January, March, May, July, September, November)
* 有效負載: Disables common antivirus products
* 大規模傳送電子郵件: Mails email adddresses found in local files, and Outlook and ICQ address books
* 修改檔案: Overwrites files with zeros
分發
* 分發級別: High
* 電子郵件的主題: Random subject
* 附屬檔案名稱: Randomly named file with .bat, .exe, .pif or .scr extension
When the worm is executed, it copies itself to %System%\Wink【random characters】.exe.
NOTE: %System% is a variable. The worm locates the Windows System folder (by default this is C:\Windows\System or C:\Winnt\System32) and copies itself to that location.
It adds the value
Wink【random characters】 %System%\Wink【random characters】.exe
to the registry key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
or it creates the registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Wink【random characters】
and inserts a value in that subkey so that the worm is executed when you start Windows.
The worm attempts to disable on-access virus Scanners and some previously distributed worms (such as W32.Nimda and CodeRed) by stopping any active processes. The worm removes the startup registry keys used by antivirus products and deletes checksum database files including:
ANTI-VIR.DAT
CHKLIST.DAT
CHKLIST.MS
CHKLIST.CPS
CHKLIST.TAV
IVB.NTZ
SMARTCHK.MS
SMARTCHK.CPS
AVGQT.DAT
AGUARD.DAT
The worm copies itself to local, mapped, and network drives as:
* A random file name with a double extension. For example, filename.txt.exe.
* A .rar archive with a double extension. For example, filename.txt.rar.
In addition, the worm searches the Windows address book, the ICQ database, and local files (such as .html and text files) for email addresses. The worm sends an email message to these addresses with itself as an attachment. The worm contains its own SMTP engine and attempts to guess at available SMTP servers.
The subject line, message bodies, and attachment file names are random. The from address is randomly chosen from email addresses that the worm finds on the infected computer.
NOTES:
* Because this worm does use a randomly chosen address that it finds on an infected computer as the "From:" address, numerous cases have been reported in which users of uninfected computers receive complaints that they have sent an infected message to someone else.
For example, Linda Anderson is using a computer that is infected with W32.Klez.E@mm; Linda is not using a antivirus program or does not have current virus definitions. When W32.Klez.E@mm performs its emailing routine, it finds the email address of Harold Logan. It inserts Harold's email address into the "From:" line of an infected email that it then sends to Janet Bishop. Janet then contacts Harold and complains that he sent her infected email, but when Harold scans his computer, norton AntiVirus does not find anything--as would be expected--because his computer is not infected.
If you are using a current version of Norton AntiVirus, have the most recent virus definitions, and a full system scan with Norton AntiVirus set to scan all files does not find anything, you can be confident that your computer is not infected with this worm.
* There have been several reports that, in some cases, if you receive a message that the virus has sent using its own SMTP engine, the message appears to be a "postmaster bounce message" from your own domain. For example, if your email address is [email protected], you could receive a message that appears to be from [email protected], indicating that you attempted to send email and the attempt failed. If this is the false message that is sent by the virus, the attachment includes the virus itself. Of course, such attachments should not be opened.
If the message is opened in an unpatched version of Microsoft Outlook or Outlook Express, the attachment may be automatically executed. Information about this vulnerability and a patch are available at
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
The worm also infects executables by creating a hidden copy of the original host file and then overwriting the original file with itself. The hidden copy is encrypted, but contains no viral data. The name of the hidden file is the same as the original file, but with a random extension.
The worm also drops the virus W32.Elkern.3587 as the file %System%\wqk.exe and executes it.
Finally, the worm has a payload. On the 6th of every odd numbered month (except January or July), the worm attempts to overwrite with zeroes files that have the extensions .txt, .htm, .html, .wab, .doc, .xls, .jpg, .cpp, .c, .pas, .mpg, .mpeg, .bak, or .mp3. If the month is January or July, this payload attempts to overwrite all files with zeroes, not just those with the aforementioned extensions.
建議
賽門鐵克安全回響中心建議所有用戶和管理員遵循以下基本安全“最佳實踐”:
* 禁用並刪除不需要的服務。 默認情況下,許多作業系統會安裝不必要的輔助服務,如 FTP 伺服器、telnet 和 Web 伺服器。這些服務可能會成為攻擊所利用的途徑。 如果將這些服務刪除,混合型威脅的攻擊途徑會大為減少,同時您的維護工作也會減少,只通過補丁程式更新即可完成。
* 如果混合型威脅攻擊了一個或多個網路服務,則在套用補丁程式之前,請禁用或禁止訪問這些服務。
* 始終安裝最新的補丁程式,尤其是那些提供公共服務而且可以通過防火牆訪問的計算機,如 HTTP、FTP、郵件和 DNS 服務(例如,所有基於 Windows 的計算機上都應該安裝最新的 Service Pack)。. 另外,對於本文中、可靠的安全公告或供應商網站上公布的安全更新,也要及時套用。
* 強制執行密碼策略。 複雜的密碼使得受感染計算機上的密碼檔案難以破解。這樣會在計算機被感染時防止或減輕造成的損害。
* 配置電子郵件伺服器以禁止或刪除帶有 vbs、.bat、.exe、.pif 和 .scr 等附屬檔案的郵件,這些檔案常用於傳播病毒。
* 迅速隔離受感染的計算機,防止其對企業造成進一步危害。 執行取證分析並使用可靠的介質恢復計算機。
* 教育員工不要打開意外收到的附屬檔案。 並且只在進行病毒掃描後才執行從網際網路下載的軟體。如果未對某些瀏覽器漏洞套用補丁程式,那么訪問受感染的網站也會造成病毒感染。
Norton AntiVirus has been able to detect W32.Klez.E@mm since January 17, 2002. If you have current definitions and have a current version of Norton AntiVirus set as recommended (to scan all files), W32.Klez.E@mm will be detected if it attempts to activate. If you simply suspect that the (inactivated) file resides on the computer, run LiveUpdate to make sure that you have current definitions, and then run a full system scan.
If W32.Klez.E@mm has activated, in most cases you will not be able to start Norton AntiVirus. Once this worm has executed, it can be difficult and time consuming to remove. The procedure that you must use to do this varies with the operating system. Please read and follow all instructions for your operating system.
Removal tool
Symantec has provided a tool to remove infections of all known variants of W32.Klez and W32.ElKern. Click here to obtain the tool.
This is the easiest way to remove these threats and should be tried first.
Note on W32.Klez.gen@mm detections:
W32.Klez.gen@mm is a generic detection that detects variants of W32.Klez. Computers that are infected with W32.Klez.gen@mm have most likely been exposed to either W32.Klez.E@mm or W32.Klez.H@mm. If your computer is detected as infected with W32.Klez.gen@mm, download and run the tool. In most cases, the tool will be able to remove the infection.
Manual removal procedure for Windows 95/98/Me
Follow the instructions in the order shown. Do not skip any steps. This procedure has been tested and will work in most cases.
NOTE: Due to the damage that can be done by this worm, and depending on how many times the worm has executed, the process may not work in all cases. If it does not, you may need to obtain the services of a computer consultant.
1. Download virus definitions
Download the definitions using the Intelligent Updater. Save the file to the Windows desktop. This is a necessary first step to make sure that you have current definitions available later in the removal process. Intelligent Updater virus definitions are available at
http://securityresponse.symantec.com/avcenter/defs.download.html
For detailed instructions on how to download and install the Intelligent Updater virus definitions from the Symantec Security Response Web site, read the document How to update virus definition files using the Intelligent Updater.
2. Restart the computer in Safe mode
You must do this as the first step. For instructions, read the document How to restart Windows 9x or Windows Me in Safe mode.
3. Edit the registry
You must edit the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run and remove the wink???.exe value after you write down the exact name of the wink file.
CAUTION: We strongly recommend that you back up the system registry before you make any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure that you modify only the keys that are specified. Please see the document How to back up the Windows registry before you proceed.
1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. navigate to the following key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
4. In the right pane, look for the following values:
Wink【random characters】 %System%\Wink【random characters】.exe
WQK %System%\Wqk.exe
5. Write down the exact file name of the Wink【random characters】.exe file
6. Delete the Wink【random characters】 value and the WQK value (if it exists).
7. Navigate to and expand the following key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
8. In the left pane, under the \Services key, look for the following subkey, and delete it if it exists:
\Wink【random characters】
NOTE: This probably will not exist on Windows 95/98/Me-based computers, but you should check for it anyway.
9. Click Registry, and click Exit.
4. Delete the actual Wink【random characters】 file
Using Windows Explorer, open the C:\Windows\System folder and locate the Wink【random characters】.exe file. (Depending on your system settings, the .exe extension may not be displayed.)
NOTE: If you have Windows installed to a location other than C:\Windows, make the appropriate substitution.
5. Empty the recycle bin
Right-click the Recycle bin on the Windows desktop, and click Empty Recycle Bin.
6. Run the Intelligent Updater
Double-click the file that you downloaded in Step 1. Click Yes or OK if prompted.
7. Restart the computer
Shut down the computer, and turn off the power. Wait 30 seconds, and then restart it. Allow it to start normally. If any files are detected as infected, Quarantine them. Some of the files that you may find are luall.exe, Rescue32.exe, and nmain.exe.
8. Scan with Norton AntiVirus (NAV) from a command line
Because some NAV files were damaged by the worm, you must scan from a command line.
1. Click Start, and click Run.
2. Type--or copy and paste--the following, and then click OK:
navw32.exe /L /VISIBLE
3. Allow the scan to run. Quarantine any additional files that are detected.
9. Restart the computer
Allow it to start normally.
10. Reinstall NAV
NOTE: If you are using NAV 2002 on Windows XP, this may not be possible on all systems. You can, however, try the following: Open the Control Panel, double-click Administrative Tools, and then double-click Services. In the list, select Windows Installer. Click Action and then click Start.
Follow the instructions in the document How to restore Norton AntiVirus after removing a virus to reinstall NAV.
11. Restart the computer and scan again
1. Shut down the computer, and turn off the power. Wait 30 seconds and then restart it.
CAUTION: This step is very important. Reinfection will occur if this is not followed.
2. Run LiveUpdate and download the most current virus definitions.
3. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files.
4. Run a full system scan. Quarantine any files that are detected as infected by W32.Klez.E@mm or W32.Klez.gen@mm.
Manual removal procedure for Windows 2000/XP
1. Download virus definitions
Download the definitions using the Intelligent Updater. Save the file to the Windows desktop. This is a necessary first step to make sure that you have current definitions available later in the removal process. Intelligent Updater virus definitions are available at
http://securityresponse.symantec.com/avcenter/defs.download.html
For detailed instructions on how to download and install the Intelligent Updater virus definitions from the Symantec Security Response Web site, read the document How to update virus definition files using the Intelligent Updater.
2. Restart the computer in Safe mode
You must do this as the first step. All Windows 32-bit operating systems except Windows NT can be restarted in Safe mode. Read the document for your operating system.
* How to start Windows XP in Safe mode
* How to start Windows 2000 in Safe mode
3. Edit the registry
You must edit the key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services and remove the wink【random characters】.exe subkey after you write down the exact name of the wink file.
CAUTION: We strongly recommend that you back up the system registry before you make any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure that you modify only the keys that are specified. Please see the document How to back up the Windows registry before you proceed.
1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the following key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
4. In the left pane, under the \Services key, look for the following subkey:
\Wink【random characters】
5. Write down the exact file name of the Wink【random characters】.exe file
6. Delete the Wink【random characters】 subkey.
7. Navigate to the following key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
8. In the right pane, look for the following values, and delete them if they exist:
Wink【random characters】 %System%\Wink【random characters】.exe
WQK %System%\Wqk.exe
NOTE: They probably will not exist on Windows 2000/XP-based computers, but you should check for them anyway.
9. Click Registry, and click Exit.
4. Configure Windows to show all files
Do not skip this step.
1. Start Windows Explorer.
2. Click the Tools menu, and click "Folder options."
3. Click the View tab.
4. Uncheck "Hide file extensions for known file types."
5. Uncheck "Hide protected operating system files," and under the "Hidden files" folder, click "Show hidden files and Folders."
6. Click Apply, and then click OK.
5. Delete the actual Wink【random characters】 file
Using Windows Explorer, open the C:\Winnt\System folder and locate the Wink【random characters】.exe file. (Depending on your system settings, the .exe extension may not be displayed.)
NOTE: If you have Windows installed to a location other than C:\Windows, make the appropriate substitution.
6. Empty the recycle bin
Right-click the Recycle bin on the Windows desktop, and click Empty Recycle Bin.
7. Run the Intelligent Updater
Double-click the file that you downloaded in Step 1. Click Yes or OK if you are prompted.
8. Restart the computer
Shut down the computer, and turn off the power. Wait 30 seconds, and then restart it.
CAUTION: This step is very important. Reinfection will occur if this is not followed.
Allow the computer to start normally. If any files are detected as infected by W32.Klez.E@mm or W32.Klez.gen@mm, Quarantine them. Some of the files that you may find are Luall.exe, Rescue32.exe, and Nmain.exe.
9. Scan with Norton AntiVirus (NAV) from a command line
Because some NAV files were damaged by the worm, you must scan from the command line.
NOTE: These instructions are only for consumer versions of NAV. The file Navw32.exe is not part of Enterprise versions of NAV such as NAVCE. The NAVCE command-line scanner, Vpscan.exe, will not remove the worm.
1. Click Start, and click Run.
2. Type--or copy and paste--the following, and then click OK:
NAVW32.EXE /L /VISIBLE
3. Allow the scan to run. Quarantine any additional files that are detected.
10. Reinstall NAV
NOTE: If you are using NAV 2002 on Windows XP, this may not be possible on all systems. You can, however, try the following: Open the Control Panel, double-click Administrative Tools, and then double-click Services. In the list, select Windows Installer. Click Action, and then click Start.
Follow the instructions in the document How to restore Norton AntiVirus after removing a virus to reinstall NAV.
11. Restart the computer and scan again
1. Shut down the computer, and turn off the power. Wait 30 seconds and then restart it.
CAUTION: This step is very important. Reinfection will occur if this is not followed.
2. Run LiveUpdate and download the most current virus definitions.
3. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files.
4. Run a full system scan. Quarantine any files that are detected as infected by W32.Klez.H@mm or W32.Klez.gen@mm.
描述者: Atli Gudmundsson