____________________________________________________________ \ / Scott Fosseen - Systems Engineer - Arrowhead AEA 5 \ www.aea5.k12.ia.us/aeaphone.nsf/Web/FosseenScott /____________________________________________________________
> Dealing effectively with the Klez virus: > Many people have been receiving e-mails from trusted friends and associates > that they didn't send. > This is the result of an e-mail worm called KLEZ. KLEZ has actually been > around since late 2001 > but this newest variant has some features that make it more of a threat > than > previous versions. > > While the anti-virus companies say their software can spot all versions of > Klez, its ability to > disable some virus-checking software can make it difficult to clean up once > it gets a foothold > on a PC. > > We will be making a suite of KLEZ scan/fix/removal tools available for > download on our > website. Since this virus only pertains to PC's the files will be in .ZIP > format. FixKlez is a GUI interfaced program from Symantec, the file > fix_klex > is a command line utility. Both can be run by double clicking the .com > file. > > http://www.aea11.k12.ia.us/kleztools.zip > > My suggestion is that you update your virus protection files immediately > and > begin a > systematic scan of machines in your area. Areas of utmost concern would be > shared > drives, storage devices [such as network drives] and public access > machines. > The next > step would be to download these tools, rescan mission critical machines [or > those without > anti-virus software]. The most critical step is to begin the distribution > process to > staff members with PC's in their homes. > > You can simply craft an e-mail with a link to the download on our website > if > you wish. > The e-mail should contain the following instructions: > > - download the tool suite [URL above] > - unzip the file [requires winzip] available at www.winzip.com > - run the scanner and follow removal instructions > - keep scanner for future scans > - be suspicious of e-mails from friends with subjects that are > "out of character" and have no message included > > = = = = = = = = = = > > Payload: > Worm infects executables by creating a hidden copy of the original host > file > and then > overwriting the original file with itself. The hidden copy is encrypted, > but > contains > no viral data. The name of the hidden file is the same as the original > file, > but with > a random extension. > > Large scale e-mailing: > Worm searches the Windows address book, the ICQ database, and local files > for email > addresses. The worm sends an email message to these addresses with itself > as > an > attachment. > > Releases confidential info: > Worm randomly chooses a file from the machine to send along with the worm > to > recipients. > So files with the extensions: ".mp8" or ".txt" or ".htm" or ".html" or > ".wab" or ".asp" > or ".doc" or ".rtf" or ".xls" or ".jpg" or ".cpp" or ".pas" or ".mpg" or > ".mpeg" or ".bak" > or ".mp3" or ".pdf" would be attached to e-mail messages along with the > viral attachment. > > = = = = = = = = = = > > Details: > All variants of the Klez worms can arrive attached to e-mail sporting one > of > several > different subject lines, or spread within local networks by copying itself > to shared > computer drives. > > The Klez worms also carry with them variants of a second virus known as > ElKern, which > Klez deposits on compromised PCs and then launches. > > Other versions of Klez carried a destructive payload that saw it begin a > mass-destruction of files on infected computers on the 13th day of > even-numbered > months. > > SARC reported that the newest incarnation *doesn't* destroy other files. > Instead it > replaces legitimate executable files with its own code, helping to ensure > that it will > launch again. The original legitimate programs are copied to files with new > random file > extensions and properties that hide them from normal directory displays. > > The Klez worms can take advantage of a year-old bug in some versions of the > Internet > Explorer browser to launch automatically when users simply view the worm's > bogus > e-mail. The browser is used to display HTML-formatted mail in programs such > as Outlook > Express. > > If the message is opened in an unpatched version of Microsoft Outlook or > Outlook Express, > the attachment may be automatically executed. Information about this > vulnerability and > a patch are available at: > > http://www.microsoft.com/technet/security/bulletin/MS01-020.asp > > = = = = = = = = = = > > Best Practice Steps for Administrators: > > Turn off and remove unneeded services: > Ensure that your mail server does not accept finger requests and, where > possible, ensure > that relay services have been disabled. By default, many operating systems > install > auxiliary services that are not critical, such as an FTP client, telnet, > and > a Web server. > These services are avenues of attack. If they are removed, blended threats > have less > avenues of attack and you have fewer services to maintain through patch > updates. > > Update, Patch and Scan, > Always keep your patch levels up-to-date, especially on computers that host > public services > and are accessible through the firewall, such as HTTP, FTP, mail, and DNS > services. > > Configure your email server: > Block or remove email that contains file attachments that are commonly used > to spread viruses, > such as .vbs, .bat, .exe, .pif and .scr files. > > Block infected services: > If a blended threat exploits one or more network services, disable, or > block > access to, > those services until a patch is applied. > > Isolate and inoculate: > Remove infected computers from the network/internet quickly to prevent > further > compromising your organization. Perform a forensic analysis and restore the > computers > using trusted media. > > Enforce a password policy: > Complex passwords make it difficult to crack password files on compromised > computers. > This helps to prevent, limit and contain damage when a computer is > compromised. > > Employee Awareness: > Train employees not to open attachments unless they are expecting them. > Also, do not > execute software that is downloaded from the Internet unless it has been > scanned for viruses. > Simply visiting a compromised Web site can cause infection if certain > browser > vulnerabilities are not patched. > > = = = = = = = = = = > > Further information: > > Symantec's information on Klez.H is here: > http:[EMAIL PROTECTED] > > Kaspersky's information is here: > http://www.viruslist.com/eng/viruslist.html?id=4292 . > > F-Secure's is here: > http://www.f-secure.com/v-descs/klez_h.shtml . > > Information on the Internet Explorer vulnerability is here: > http://www.microsoft.com/technet/security/bulletin/MS01-020.asp > > Trend Micro's is here: > http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_KLEZ.H > > = = = = = = = = = = > > Joshua Burke > Web Manager > Heartland AEA 11 > > -------------------- > To Post: > Send your message to: [EMAIL PROTECTED] > > To Subscribe/Unsubscribe: > Please visit: http://www.aea11.k12.ia.us/site/listserv/listserv.html > > For a searchable database of messages: > http:[EMAIL PROTECTED] > -------------------- --------------------------------------------------------- Archived messages from this list can be found at: http://www.mail-archive.com/tech-cord@aea5.k12.ia.us/ ---------------------------------------------------------