aaus-list @ ukrainianstudies.org -- [aaus-list] Fwd: Virus problems/alert (from the list-owner)

[Robert De Lossa <radelo@earthlink.net>]

Dear All,

In the past few days the aaus-list seems to have been the target of a 
significant virus attack. It is difficult for me to tell if things 
are getting through the list or not, since I receive material both as 
the list-owner and as a member. My guess is that none of the messages 
that have come through to my personal account as list-owner have been 
broadcast to the entire list, since I would get multiple copies (and 
have not). However, one list member did tell me that she had received 
questionable aaus-list e-mails, so I am putting out a general 
questionnaire to find out what's what. If you can confirm that 
aaus-list messages have come to you with the virus (see description 
below), please send a very short message to me at 
radelo@earthlink.net.

I think what is going on is that the individual e-mail address books 
of several people in the North American Ukrainian studies community 
(and many, many other Ukraine- and Russia-based individuals) have 
been infected with the Klezmer virus. I myself have received two 
dozen infected messages/files over the past three days. Several of 
them came from aaus-list members' accounts. The bulk have come from 
Ukraine- and Russia-based individuals or organizations. About half 
have been attempts to propagate through aaus-list that bounced to me 
as list-owner. The other half came directly to me. I strongly advise 
that those of you with PCs do not open .exe, .rar, .bat, or .scr 
files that you do not expect to get. Likewise, do not open an e-mail 
message that is 1K or 0K in length, but with an attachment, unless 
you expect it. One of the files came to me camouflaged as a "Klezmer 
removal executable." Those who are using Macintosh computers should 
be okay, but should immediately trash the suspected files.

Information on this virus follows. I strongly recommend that 
everyone--especially those in the PC/Windows crowd--follow the 
instructions that follow. As always, keeping your virus protection up 
to date is critical. Note also that you may have personal information 
or confidential files forwarded to others by this worm, so quick 
action to neutralize it is recommended.

Robert De Lossa


------------------------------------------------------------
            ** VIRUS NOTICE - W32/Klez.h@MM ** 
------------------------------------------------------------

Dear Robert,

McAfee.com has seen a growing number of computers infected
with W32/Klez.h@MM. The risk assessment has been updated to
MEDIUM.  As always, we recommend that you keep your
anti-virus software up-to-date for the best protection.

McAfee.com will continue to update you on the latest details
of the W32/Klez.h@MM virus, click here for more information:
===> http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3149

Sincerely,
McAfee.com

[the link above leads to: ]
____________________________________________________________


W32/Klez.h@MM	Medium
Virus Information:
Date Discovered:	4/17/2002
Date Added:	4/17/2002
Origin:	Unknown
Length:	approx 90kB
Type:	Internet Worm
SubType:	Win32
DAT Required:	4182
Quick Links:

Virus Characteristics
Indications of Infection
Method of Infection
Removal Instructions
Aliases
Send Virus Info via Email

Update VirusScan
Online	 
Download the latest
DAT files
Virus Characteristics:
--- Update 4/18/2002 ---
AVERT has raised the risk assessment of this threat to Medium after 
seeing an increase in prevalence over the past 24 hours. Home users 
are at a greater risk of infection, as they tend to update their DATs 
less frequently then corporations. As such, the risk of becoming 
infected in a corporate environment is lower.

This latest W32/Klez variant is already detected as W32/Klez.gen@MM 
by McAfee products using the 4182 DATs (23 January 2002) or greater.

W32/Klez.h@MM has a number of similarities to previous W32/Klez 
variants, for example:

*	W32/Klez.h@MM makes use of Incorrect MIME Header Can Cause IE 
to Execute E-mail Attachment vulnerability in Microsoft Internet 
Explorer (ver 5.01 or 5.5 without SP2).
*	the worm has the ability to spoof the From: field (often set 
to an address found on the victim machine).
*	the worm attempts to unload several processes (antivirus 
programs) from memory. Including those containing the following 
strings:
*	_AVP32
*	_AVPCC
*	NOD32
*	NPSSVC
*	NRESQ32
*	NSCHED32
*	NSCHEDNT
*	NSPLUGIN
*	NAV
*	NAVAPSVC
*	NAVAPW32
*	NAVLU32
*	NAVRUNR
*	NAVW32
*	_AVPM
*	ALERTSVC
*	AMON
*	AVP32
*	AVPCC
*	AVPM
*	N32SCANW
*	NAVWNT
*	ANTIVIR
*	AVPUPD
*	AVGCTRL
*	AVWIN95
*	SCAN32
*	VSHWIN32
*	F-STOPW
*	F-PROT95
*	ACKWIN32
*	VETTRAY
*	VET95
*	SWEEP95
*	PCCWIN98
*	IOMON98
*	AVPTC
*	AVE32
*	AVCONSOL
*	FP-WIN
*	DVP95
*	F-AGNT95
*	CLAW95
*	NVC95
*	SCAN
*	VIRUS
*	LOCKDOWN2000
*	Norton
*	Mcafee
*	Antivir

The worm is able to propagate over the network by copying itself to 
network shares (assuming sufficient permissions exist). Target 
filenames are chosen randomly, and can have single or double file 
extensions. For example:
   350.bak.scr
   bootlog.jpg
   user.xls.exe

The worm may also copy itself into RAR archives, for example:
   HREF.mpeg.rar
   HREF.txt.rar
   lmbtt.pas.rar

The worm mails itself to email addresses in the Windows Address Book, 
plus addresses extracted from files on the victim machine. It arrives 
in an email message whose subject and body is composed from a pool of 
strings carried within the virus. For example:
Subject: A very funny website
or Subject: 1996 Microsoft Corporation
or Subject: Hello,honey
or Subject: Initing esdi
or Subject: Editor of PC Magazine.
or Subject: Some questions
or Subject: Telephone number

The file attachment name is again generated randomly, and ends with a 
.exe, .scr, .pif, or .bat extension, for example:
   ALIGN.pif
   User.bat
   line.bat

Thanks to the use of the exploit described above, simply opening or 
previewing the message in a vulnerable mail client can result in 
infection of the victim machine.

W32/Klez.h@MM masquerades as a free immunity tool in at least one of 
the messages used:
Subject: Worm Klez.E Immunity
Body: Klez.E is the most common world-wide spreading worm. It's very 
dangerous by corrupting your files. Because of its very smart stealth 
and anti-anti-virus technic,most common AV software can't detect or 
clean it.We developed this free immunity tool to defeat the malicious 
virus. You only need to run this tool once,and then Klez will never 
come into your PC.
NOTE: Because this tool acts as a fake Klez to fool the real 
worm,some AV monitor maybe cry when you run it. If so,Ignore the 
warning,and select 'continue'. If you have any question,please mail 
to me.

The worm may send a clean document in addition to an infected file. A 
document found on the hard disk, that contains one of the following 
extensions, is sent:

*	.txt
*	.htm
*	.html
*	.wab
*	.asp
*	.doc
*	.rtf
*	.xls
*	.jpg
*	.cpp
*	.c
*	.pas
*	.mpg
*	.mpeg
*	.bak
*	.mp3
*	.pdf
This payload can result in confidental information being sent to others.

Indications of Infection:
Indications Of Infection:
*	Randomly/oddly named files on network shares, as described above.
*	Reference to a WINKxxx.EXE file ("xxx" looks random) in a Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Method of Infection:
Indications Of Infection:Method Of Infection:
This virus can be considered a blended threat. It mass-mails itself 
to email addresses found on the local system, exploits a Microsoft 
vulnerability, spreads via network shares, infects executables on the 
local system, and drops an additional file infecting virus, 
W95/Elkern.cav.c.
Removal Instructions:
Removal Instructions:

Use current engine and DAT files for detection.

Once infected, VirusScan may not be able to run as the virus can 
terminate the process before any scanning/removal is accomplished. 
The following steps will circumvent this action and allow for proper 
VirusScan scanning/removal, by using the command-line scanner.

1.	Download and install the DAILY DAT files 
(http://www.mcafeeb2b.com/naicommon/avert/avert-research-center/virus-4d.asp)
2.	Close all running applications
3.	Disconnect the system from the network
4.	Click START | RUN, type command and hit ENTER
5.	Change to the VirusScan engine directory:
*	Win9x/ME - Type cd 
\progra~1\common~1\networ~1\viruss~1\40~1.xx and hit ENTER
*
WinNT/2K/XP - Type cd 
\progra~1\common~1\networ~1\viruss~1\40F809~1.xx and hit ENTER
6.	First, scan the system directory
*	Win9x/ME - Type scan.exe %windir%\system\win*.exe and hit ENTER
*
WinNT/2K/XP - Type scan.exe %windir%\system32\win*.exe and hit ENTER
7.	Once the scan has completed, Type scan.exe /adl /clean and hit ENTER
8.	After scanning and removal is complete, reboot the system

Additional Windows ME/XP removal considerations
Aliases:
W32/Klez.G@mm (Norman), W32/Klez.gen@MM, W32/Klez.I (Panda), 
W32/Klez.K-mm, WORM_KLEZ.G (Trend)