-----Original Message----- From: NIPC Watch To: 1143267@private Sent: 4/26/02 9:24 PM Subject: NIPC Alert on Propagation of the W32/Klez.h@mm Worm and Variants Please find below NIPC Alert 02-002 concerning the W32/Klez.h@mm Worm, and Variants. Regards, NIPC WWU rp National Infrastructure Protection Center "Propagation of the W32/Klez.h@mm Worm and Variants" Alert 02-002 26 April 2002 The National Infrastructure Protection Center (NIPC) continues to monitor a mass-mailing worm called Klez.h. The NIPC is issuing this alert due to information received from industry partners, combined with the striking number of infections reported in the wild during the last forty-eight hours. Klez.h spoofs an e-mail address found on the intended victim's system and may appear to have been sent from a familiar party. It has over 100 randomly selected subject lines, and uses several different file attachment names when attaching itself. The worm also masquerades as a "Klez.E immunity tool" with the subject line "Worm Klez.E Immunity". The worm also attempts to disable common anti-virus scanning programs such as McAfee, Antivir, Norton, Scan, AVConsol, F-Secure, Sophos and others. Klez.h also infects the victim machine with the Elkern virus which may be detected as NGVCK.a. The Elkern virus randomly infects executable files on the local machine and network shares and replaces the contents of these files with random characters to maintain the original file size. This will cause most systems to crash and at the very least destroy critical operating system files. Users are strongly encouraged to update their anti-virus signatures and visit the following Microsoft websites for the appropriate patches for Outlook and Internet Explorer 5.x: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur ity/bulletin/MS01-020.asp http://support.microsoft.com/default.aspx?scid=kb;en-us;Q262631 The anti-virus software industry is aware of Klez.h and has signature files to detect and remove it from infected hosts. Full descriptions and removal instructions are located at the following anti-virus web sites: F-Secure Corp. http://www.f-secure.com/v-descs/klez_h.shtml Network Associates Inc./McAfee.com http://vil.mcafee.com/dispVirus.asp?virus_k=99455 Symantec Corp. http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.h@private ml Trend Micro Inc. http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_KLEZ .H As always, the NIPC encourages computer users to keep anti-virus and systems software current by frequently checking vendor web sites for updates, and routinely checking for alerts issued by the NIPC, FedCIRC, CERT/CC, and similar organizations. The NIPC encourages recipients of this alert to report computer intrusions to their local FBI office http://www.fbi.gov/contact/fo/fo.htm or the NIPC, and to other appropriate authorities. Recipients may report incidents online at http://www.nipc.gov/incident/cirr.htm, and can reach the NIPC Watch and Warning Unit at (202) 323-3205, 1-888-585-9078 or nipc.watch@private
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:42:25 PDT