The Computer Guys

Miami to Fort Lauderdale Since 1994 - Thank You!

 

 

We Build the Best & Repair the Rest! ©

 

Alerts April 2002

FAQ Search Virus Alerts Hardware Faqs

 

 

Computer Repair
PC Maintenance
Disaster Recovery
SpyWare Removal
Company Profile
Disclaimer
Contact Information
Home Users

 

 


October 2002 2001 Alerts 2001 Alerts January 2002 Alerts February 2002 Alerts March 2002 Alerts April 2002 Alerts May 2002 Alerts June 2002 Alerts July 2002 Alerts August 2002 Alerts Sept 2002 Alerts Oct 2002 Alerts Nov 2002 Alerts Dec 2002

 

 

 

 

Top 10 malware reported to Sophos in April 2002

Position Last
month		 Malware Percentage of reports
1 1 W32/Klez-G
   77.8%
2 10 W32/Klez-E
   5.8%
3 2 W32/Badtrans-B
   4.7%
4 New W32/ElKern-C
   0.9%
5 3 W32/Magistr-B
   0.8%
6= Re-entry W32/Klez-A
   0.7%
6= Re-entry W32/MyLife-F
   0.7%
8= 6 W32/Magistr-A
   0.5%
8= 5 W32/Sircam-A
   0.5%
8= Re-entry W32/Nimda-D
   0.5%
Others 7.1%

 

 

This section helps you to understand how it behaves

Please note: Some customers have received this virus as an attachment to an email claiming to contain disinfection tools from Sophos for the W32/ElKern virus (the email calls it "W32.Elkern").

We can confirm that the infected file does not originate from Sophos and we recommend users do not open/launch unsolicited executable attachments.

W32/Klez-G is a Win32 worm that carries a compressed copy of the W32/ElKern-B virus, which it drops and executes when the worm is run.

This worm searches for email address entries in the Windows address book and in files found on local and network hard drives. W32/Klez-G uses its own mailing routine.

The email will have the following characteristics:

Subject line: either random or chosen from the list

How are you
Let's be friends
Darling
Don't drink too much
Your password
Honey
Some questions
Please try again
Welcome to my hometown
the Garden of Eden
introduction on ADSL
Meeting notice
Questionnaire
Congratulations
Sos!
japanese girl VS playboy
Look,my beautiful girl friend
Eager to see you
Spice girls' vocal concert
Japanese lass' sexy pictures

Message text: Message text is randomly composed by the worm but the message can also be without a text.

Attached file: Randomly named with extension .PIF, .SCR, .EXE or .BAT.

The sender address which appears in the message "From:" field is chosen either from files on the local hard drive or from a list inside the virus.

Because the worm uses its own SMTP engine, the message may appear to come from any email address. Some of the messages will have a "From:" field and message text which imply that the message was sent by a major anti-virus vendor.

W32/Klez-G attempts to disable several anti-virus products and delete some anti-virus related files.

The worm attempts to exploit a MIME vulnerability in some versions of Microsoft Outlook, Microsoft Outlook Express, and Internet Explorer to allow the executable file to run automatically without the user double-clicking on the attachment. Microsoft has issued a patch which secures against this vulnerability which can be downloaded from http://www.microsoft.com/technet/security/bulletin/MS01-027.asp.
(This patch fixes a number of vulnerabilities in Microsoft's software, including the one exploited by this worm.)

W32/Klez-G may also spread to remote shares on other machines using random filenames.

It copies itself to the Windows System directory with a random filename. The worm will set the registry key

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\

to point to the worm file, so that the file is run on Windows startup.

Note: Due to a generic detection technique used to detect W32/Klez-G this virus name will also be reported if the most prevalent variant W32/Klez-H is encountered.
 

 

Google
 


 

 

This webpage is optimized for 800 x 600 monitor resolution or above and the latest web browser. 

 

 

 

Copyright © 1998 The Computer Guys

 Back Home Up Next