N'ouvrez jamais les emails non signés ou sans texte... même s'ils semblent venir de qq1 que vous connaissez bien....  surtouts les pieces jointes qui les accompagnent. des virus circulent.... soyez vigilants.

QUESTION VIRUS

Information virus Klez.E

et son Virus associé W32.ElKern.3326

1) Virus Klez.E     ( Pièce jointe invisible)

Klez.E est un virus de mail qui se présente sous la forme d'un message dont le titre, le corps et le nom du fichier attaché sont aléatoires. Parfois accompagné d'une image, ce dernier possède une extension en .EXE, .PIF, .COM, .BAT, .SCR ou .RAR, mais l'extention visible peut également être .WAV ou .MID car le virus falsifie le content-type dans l'entête du message (avec Outlook, la pièce jointe est ainsi invisible). Quelques titres possibles : A WinXP patch Spice girls' vocal concert Run in DOS mode How are you Let's be friends Darling Don't drink too much Your password Honey Some questions Please try again Welcome to my hometown the Garden of Eden introduction on ADSL Meeting notice Questionnaire Congratulations Sos! japanese girl VS playboy Look,my beautiful girl friend Eager to see you Spice girls' vocal concert Japanese lass' sexy pictures Pretty Woman Le virus s'exécute automatiquement à l'ouverture du mail ou lors de son affichage dans la fenêtre de prévisualisation d'Outlook, si l'application n'a pas été patchée contre une vulnérabilité MIME connue. Si le fichier joint est exécuté, le virus se copie dans le répertoire Système de Windows avec l'attribut "fichier caché" sous le nom WINK*.EXE (où * est une chaîne de caractères aléatoire), modifie la base de registres pour s'exécuter automatiquement au prochain démarrage, puis copie dans le répertoire Système et exécute le fichier WQK.EXE correspondant au virus ElKern. Klez.E extrait ensuite les adresses emails contenues dans les carnets d'adresses Windows et ICQ pour s'envoyer automatiquement à certains correspondants avec son propre serveur SMTP, en utilisant généralement une fausse adresse email d'expéditeur piochée dans une liste pré-établie : pw246@columbia.edu queen@helix.com.hk yaya@wfc.com.tw atoz@2911.net anti@helix.com.hk graph@helix.com.hk street@verizon.net sani@2911.net santurn@verizon.net andy@verizon.net little@hitel.net gigi@helix.com.hk bet@helix.com.hk lily@88win.com sun@verizon.net linda@verizon.net raise@wfc.com.tw rainrainman@hongkong.com karala@hongkong.com sammychen@wfc.com.tw flywind@wfc.com.tw suck@wfc.com.tw urlove@wfc.com.tw tutu@88win.com cheu@2911.net xyz@2911.net pet@2911.net girl@edirect168.com littlecat@hongkong.com panshugang@chinese.com pipti@21cn.com certpass@21cn.com powerhero@263.net CR7269CH@terra.es RUBENSOTOAGUI@terra.es ACAMDR@terra.es ol-petech@terra. es ROSANAMOLTO@terra.es MANUEL23@terra.es cristian_soto@terra.es carlos_nuevo@terra.es Klez.E se propage le cas échéant via les dossiers partagés, puis désactive et tente d'éliminer certains antivirus et firewalls, en supprimant les clés de base de registres et répertoires correspondants : _AVP32 _AVPCC NOD32 NPSSVC NRESQ32 NSCHED32 NSCHEDNT NSPLUGIN NAV NAVAPSVC NAVAPW32 NAVLU32 NAVRUNR NAVW32 _AVPM ALERTSVC AMON AVP32 AVPCC AVPM N32SCANW NAVWNT ANTIVIR AVPUPD AVGCTRL AVWIN95 SCAN32 VSHWIN32 F-STOPW F-PROT95 ACKWIN32 VETTRAY VET95 SWEEP95 PCCWIN98 IOMON98 AVPTC AVE32 AVCONSOL FP-WIN DVP95 F-AGNT95 CLAW95 NVC95 SCAN VIRUS LOCKDOWN2000 Norton Mcafee Antivir TASKMGR2 Enfin, le 6 de chaque mois impair (Janvier, Mars, Mai, Juillet, Septembre, Novembre) le virus écrase les principaux fichiers de données du disque dur (TXT, HTM, HTML, WAB, DOC, XLS, CPP, C, PAS, MPEG, MPG, BAK, MP3, et JPG) de manière à ce que leur contenu ne soit plus récupérable. Pour s'en préserver, il faut s'assurer être à jour dans ses correctifs sécurité et supprimer le mail dès son arrivée dans la boîte de réception. L'utilitaire de désinfection ci-dessous permet de rechercher et d'éliminer Klez.A, Klez.B, Klez.C et Klez.E. Le site Windows Update pour mettre à jour Internet Explorer (ou sinon le Security Bulletin MS01-020) Télécharger l'utilitaire FIXKLEZ (Trend Micro) pour éliminer les virus Klez et Elkern en cas d'infection Dossier Secuser.com sur les virus Abonnement gratuit à la lettre Secuser Alert pour être prévenu de l'apparition des nouveaux hoax et virus Le virus Klez.E, méchant un mois sur deux 06/03 - 01net (lire l'article)

 

2) Virus W32.ElKern.3326

Discovered on: October 25, 2001

Last Updated on: January 4, 2002 at 10:49:42 AM PST

W32.ElKern.3326 is a virus that infects files over open shares, mapped drives; it also tries to infect all executable files in the \Windows\System folder.

If it is activated under Windows NT/2000, then this virus will crash when first activated.
If it is activated under Windows 9x and you have a mapped network share that is write-protected, then this virus will crash your computer after a short period.

Some files that become infected with this virus will not change in size.

This virus has a payload that will destroy all files on locally connected drives (including mapped drives).

This payload becomes active on:

• March 13

• September 13

When executed, the virus also has a very small chance of randomly activating this payload.

NOTE: This virus is associated with and can be dropped by either W32.Klez.A or W32.Klez.D. Please read those write-ups for additional information.

Also Known As: W32.ElKern.3326 (dr)
Type: Virus
Infection Length: 3326 bytes

Virus Definitions (Intelligent Updater): October 26, 2001

Threat Assessment:

 

Wild: Low

Damage: Medium

Distribution: High

Wild:

• Number of infections: 0 - 49

• Number of sites: 0 - 2

• Geographical distribution: Low

• Threat containment: Moderate

• Removal: Moderate

Damage:

• Payload Trigger: - when executed the virus has a very small chance of randomly activating this payload. - 13th of March - 13th of September

• Payload:

  • Modifies files: fills file with zeros

 

Technical description:

When this virus infects files, it can behave as either a cavity infector or an appender. This means that, if possible, the virus will inject itself into the host file in such a fashion as to not increase its overall size.

Once the virus is activated, it creates a new thread for its own execution and then gives control directly to the original host program.

The virus then creates a copy of itself in the \Windows\System folder. Norton AntiVirus detects this file as W32.ElKern.3326 (dr). The file name differs, depending on the operating system:

• Windows 95/98/Me: %System%\Wqk.exe

• Windows NT/2000: %System%\Wqk.dll

NOTE: %System% is a variable. The worm locates the \Windows\System folder (by default this is C:\Windows\System or C:\Winnt\System32), and copies itself to that location.

It then does the following, depending on the operating system:

• Windows 95/98/Me
  It adds the value
  
  WQK   %System%\Wqk.exe
  
  to the registry key
  
  HKEY_LOCAL_MACHINE\Software\Microsoft\
  Windows\CurrentVersion\Run
  
  This causes the virus to run each time that you start Windows.
  

• Windows NT/2000
  It attempts to add the value
  
  AppInit_DLLs  %System%\Wqk.dll
  
  to the registry key
  
  HKEY_LOCAL_MACHINE\Software\Microsoft\
  Windows NT\CurrentVersion\Windows
  
  Due to a bug in the virus, it does not work properly under Windows NT/2000 and is not able to create the value.

The virus then attempts to infect all executable files in the %System% folder (and its subfolders). It sleeps for a random period of time between each file that it tries to infect.

NOTE: When the virus searches for files to infect, this virus ignores the file extensions. The virus checks each file to see if it is a valid Windows executable before infecting it. However, it does not infect .dll files.

During the infection process this virus will infect all drives on your computer (including mapped ones).

This virus also searches through all available network resources for open shares, which it then tries to infect.

Due to a bug in the virus, it will crash a computer running Windows 9x if any of these shares are write-protected.

 

Removal instructions:

1. Run LiveUpdate to make sure that you have the most recent virus definitions.
2. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files.
3. Run a full system scan.
4. Click Repair for any file that is identified as being infected with W32.ElKern.3326.
5. Click Delete for any file that is identified as being infected with W32.ElKern.3326 (dr).
6. If you are running Windows 95/98/Me, go on the next section to remove the value that the virus added to the registry.

To edit the registry:

CAUTION: We strongly recommend that you back up the system registry before you make any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure that you modify only the keys that are specified. Please see the document How to back up the Windows registry before you proceed.

1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run

4. In the right pane, delete the following value:

AppInit_DLLs  %System%\Wqk.dll

5. Click Registry, and click Exit

Write-up by: Atli Gudmundsson 

---

Message de la Comm'

(NewsLetter ARF du 20 mars 2002)

---