Re: META: Virus Redux

From: Ziana Astralos (ziana@extrotech.net)
Date: Wed Mar 27 2002 - 18:22:14 MST


On Tue, 26 March 2002, e_shaun@extropy.org wrote:
> Well, in my last message, it seems that I spoke too
> soon. These viruses have taken over my computer,
> and somehow embedded themselves in my Norton files.
> ...

Frell, that's not good at all... Here is the (rather lengthy, but pasting it
all in case you aren't able to access it) page about the virus you have,
W32.Klez.E@mm (as far as I can tell, from the subject lines you mentioned in
your previous email). Hopefully this will help.

http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.e@mm.html

Discovered on: January 17, 2002
Last Updated on: March 19, 2002 at 09:03:04 PM PST

Due to an increased rate of submissions, Symantec Security Response is
upgrading the threat level for W32.Klez.E@mm from level 2 to level 3 as of
March 6, 2002.
W32.Klez.E@mm is similar to W32.Klez.A@mm. It is a mass-mailing email worm
that also attempts to copy itself to network shares. The worm uses random
subject lines, message bodies, and attachment file names.

The worm exploits a vulnerability in Microsoft Outlook and Outlook Express
in an attempt to execute itself when you open or even preview the message in
which it is contained. Information and a patch for the vulnerability are
available at
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp.

The worm overwrites files and creates hidden copies of the originals. In
addition, the worm drops the virus W32.Elkern.3587, which is similar to
W32.ElKern.3326.

The worm attempts to disable some common antivirus products and has a
payload which fills files with all zeroes.

Type: Virus, Worm

Virus Definitions (Intelligent Updater): January 17, 2002
Virus Definitions (LiveUpdateTM): January 23, 2002

Threat Assessment:

Wild: Medium
Damage: Medium
Distribution: High

Wild:

Number of infections: More than 1000
Number of sites: More than 10
Geographical distribution: Medium
Threat containment: Moderate
Removal: Moderate

Damage:

Payload: Disables common antivirus products
Large scale e-mailing: Mails email adddresses found in local files, and
Outlook and ICQ address books
Modifies files: Overwrites files with zeros on the 6th of every odd numbered
month (January, March, May, July, September, November)

Distribution:

Subject of email: Random subject
Name of attachment: Randomly named file with .bat, .exe, .pif or .scr
extension

Technical description:

When the worm is executed, it copies itself to %System%\Wink[random
characters].exe.

NOTE: %System% is a variable. The worm locates the Windows System folder (by
default this is C:\Windows\System or C:\Winnt\System32) and copies itself to
that location.

It adds the value

Wink[random characters] %System%\Wink[random characters].exe

to the registry key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

or it creates the registry key

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Wink[random characters]

and inserts a value in that subkey so that the worm is executed when you
start Windows.

The worm attempts to disable on-access virus scanners and some previously
distributed worms (such as W32.Nimda and CodeRed) by stopping any active
processes. The worm removes the startup registry keys used by antivirus
products and deletes checksum database files including:

ANTI-VIR.DAT
CHKLIST.DAT
CHKLIST.MS
CHKLIST.CPS
CHKLIST.TAV
IVB.NTZ
SMARTCHK.MS
SMARTCHK.CPS
AVGQT.DAT
AGUARD.DAT

The worm copies itself to local, mapped, and network drives as:

A random file name with a double extension. For example, filename.txt.exe.
A .rar archive with a double extension. For example, filename.txt.rar.

In addition, the worm searches the Windows address book, the ICQ database,
and local files (such as .html and text files) for email addresses. The worm
sends an email message to these addresses with itself as an attachment. The
worm contains its own SMTP engine and attempts to guess at available SMTP
servers.

The subject line, message bodies, and attachment file names are random. The
from address is randomly chosen from email addresses that the worm finds on
the infected computer.

NOTES:
Because this worm does use a randomly chosen address that it finds on an
infected computer as the "From:" address, numerous cases have been reported
in which users of uninfected computers receive complaints that they have
sent an infected message to someone else.

For example, Linda Anderson is using a computer that is infected with
W32.Klez.E@mm; Linda is not using a antivirus program or does not have
current virus definitions. When W32.Klez.E@mm performs its emailing routine,
it finds the email address of Harold Logan. It inserts Harold's email
address into the "From:" line of an infected email that it then sends to
Janet Bishop. Janet then contacts Harold and complains that he sent her
infected email, but when Harold scans his computer, Norton AntiVirus does
not find anything--as would be expected--because his computer is not
infected.

If you are using a current version of Norton AntiVirus, have the most recent
virus definitions, and a full system scan with Norton AntiVirus set to scan
all files does not find anything, you can be confident that your computer is
not infected with this worm.

There have been several reports that, in some cases, if you receive a
message that the virus has sent using its own SMTP engine, the message
appears to be a "postmaster bounce message" from your own domain. For
example, if your email address is jsmith@anyplace.com, you could receive a
message that appears to be from postmaster@anyplace.com, indicating that you
attempted to send email and the attempt failed. If this is the false message
that is sent by the virus, the attachment includes the virus itself. Of
course, such attachments should not be opened.

If the message is opened in an unpatched version of Microsoft Outlook or
Outlook Express, the attachment may be automatically executed. Information
about this vulnerability and a patch are available at

http://www.microsoft.com/technet/security/bulletin/MS01-020.asp

The worm also infects executables by creating a hidden copy of the original
host file and then overwriting the original file with itself. The hidden
copy is encrypted, but contains no viral data. The name of the hidden file
is the same as the original file, but with a random extension.

The worm also drops the virus W32.Elkern.3587 as the file %System%\wqk.exe
and executes it.

Finally, the worm has a payload. On the 6th of every odd numbered month
(except January or July), the worm attempts to overwrite with zeroes files
that have the extensions .txt, .htm, .html, .wab, .doc, .xls, .jpg, .cpp,
.c, .pas, .mpg, .mpeg, .bak, or .mp3. If the month is January or July, this
payload attempts to overwrite all files with zeroes, not just those with the
aforementioned extensions.

Removal instructions:

Norton AntiVirus has been able to detect W32.Klez.E@mm since January 17,
2002. If you have current definitions and have a current version of Norton
AntiVirus set as recommended (to scan all files), W32.Klez.E@mm will be
detected if it attempts to activate. If you simply suspect that the
(inactivated) file resides on the computer, run LiveUpdate to make sure that
you have current definitions, and then run a full system scan.

If W32.Klez.E@mm has activated, in most cases you will not be able to start
Norton AntiVirus. Once this worm has executed, it can be difficult and time
consuming to remove. The procedure that you must use to do this varies with
the operating system. Please read and follow all instructions for your
operating system.

Manual removal procedure for Windows 95/98/Me

Follow the instructions in the order shown. Do not skip any steps. This
procedure has been tested and will work in most cases.

NOTE: Due to the damage that can be done by this worm, and depending on how
many times the worm has executed, the process may not work in all cases. If
it does not, you may need to obtain the services of a computer consultant.

1. Download virus definitions
Download the definitions using the Intelligent Updater. Save the file to the
Windows desktop. This is a necessary first step to make sure that you have
current definitions available later in the removal process. Intelligent
Updater virus definitions are available at

http://securityresponse.symantec.com/avcenter/defs.download.html

For detailed instructions on how to download and install the Intelligent
Updater virus definitions from the Symantec Security Response Web site, read
the document How to update virus definition files using the Intelligent
Updater.

2. Restart the computer in Safe mode
You must do this as the first step. For instructions, read the document How
to restart Windows 9x or Windows Me in Safe mode.

3. Edit the registry
You must edit the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current
Version\Run and remove the wink???.exe value after you write down the exact
name of the wink file.

CAUTION: We strongly recommend that you back up the system registry before
you make any changes. Incorrect changes to the registry could result in
permanent data loss or corrupted files. Please make sure that you modify
only the keys that are specified. Please see the document How to back up the
Windows registry before you proceed.

1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the following key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

4. In the right pane, look for the following values:

Wink[random characters] %System%\Wink[random characters].exe
WQK %System%\Wqk.exe

5. Write down the exact file name of the Wink[random characters].exe file
6. Delete the Wink[random characters] value and the WQK value (if it
exists).
7. Navigate to and expand the following key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services

8. In the left pane, under the \Services key, look for the following subkey,
and delete it, if it exists:

\Wink[random characters]

NOTE: This probably will not exist on Windows 95/98/Me-based computers, but
you should check for it anyway.

9. Click Registry, and click Exit.

4. Delete the actual Wink[random characters] file
Using Windows Explorer, open the C:\Windows\System folder and locate the
Wink[random characters].exe file. (Depending on your system settings, the
.exe extension may not be displayed.)

NOTE: If you have Windows installed to a location other than C:\Windows,
make the appropriate substitution.

5. Empty the recycle bin
Right-click the Recycle bin on the Windows desktop, and click Empty Recycle
Bin.

6. Run the Intelligent Updater
Double-click the file that you downloaded in Step 1. Click Yes or OK if
prompted.

7. Restart the computer
Shut down the computer, and turn off the power. Wait 30 seconds, and then
restart it. Allow it to start normally. If any files are detected as
infected, Quarantine them. Some of the files that you may find are
Luall.exe, Rescue32.exe, and Nmain.exe.

8. Scan with Norton AntiVirus (NAV) from a command line
Because some NAV files were damaged by the worm, you must scan from a
command line.
1. Click Start, and click Run.
2. Type--or copy and paste--the following, and then click OK:

NAVW32.EXE /L /VISIBLE

3. Allow the scan to run. Quarantine any additional files that are detected.

9. Restart the computer
Allow it to start normally.

10. Reinstall NAV
1. Reinstall NAV from the installation CD.
2. Start NAV, and make sure that it is configured to scan all files. For
instructions on how to do this, read the document How to configure Norton
AntiVirus to scan all files.
3. Run a full system scan. Quarantine any files that are detected as
infected.

Manual removal procedure for Windows 2000/XP

1. Download virus definitions
Download the definitions using the Intelligent Updater. Save the file to the
Windows desktop. This is a necessary first step to make sure that you have
current definitions available later in the removal process. Intelligent
Updater virus definitions are available at

http://securityresponse.symantec.com/avcenter/defs.download.html

For detailed instructions on how to download and install the Intelligent
Updater virus definitions from the Symantec Security Response Web site, read
the document How to update virus definition files using the Intelligent
Updater.

2. Restart the computer in Safe mode
You must do this as the first step. All Windows 32-bit operating systems
except Windows NT can be restarted in Safe mode. Read the document for your
operating system.
How to start Windows XP in Safe mode
How to start Windows 2000 in Safe mode

3. Edit the registry
You must edit the key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
and remove the wink???.exe subkey after you write down the exact name of the
wink file.

CAUTION: We strongly recommend that you back up the system registry before
you make any changes. Incorrect changes to the registry could result in
permanent data loss or corrupted files. Please make sure that you modify
only the keys that are specified. Please see the document How to back up the
Windows registry before you proceed.

1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the following key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services

4. In the left pane, under the \Services key, look for the following subkey:

\Wink[random characters]

5. Write down the exact file name of the Wink[random characters].exe file
6. Delete the Wink[random characters] subkey.
7. Navigate to the following key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

8. In the right pane, look for the following values, and delete them if they
exist:

Wink[random characters] %System%\Wink[random characters].exe
WQK %System%\Wqk.exe

NOTE: They probably will not exist on Windows 2000/XP-based computers, but
you should check for them anyway.

9. Click Registry, and click Exit.

4. Configure Windows to show all files
Do not skip this step.
1. Start Windows Explorer.
2. Click the Tools menu, and click "Folder options."
3. Click the View tab.
4. Uncheck "Hide file extensions for known file types."
5. Uncheck "Hide protected operating system files," and under the "Hidden
files" folder, click "Show hidden files and folders."
6. Click Apply, and then click OK.

5. Delete the actual Wink[random characters] file
Using Windows Explorer, open the C:\Winnt\System folder and locate the
Wink[random characters].exe file. (Depending on your system settings, the
.exe extension may not be displayed.)

NOTE: If you have Windows installed to a location other than C:\Windows,
make the appropriate substitution.

5. Empty the recycle bin
Right-click the Recycle bin on the Windows desktop, and click Empty Recycle
Bin.

6. Run the Intelligent Updater
Double-click the file that you downloaded in Step 1. Click Yes or OK if you
are prompted.

7. Restart the computer
Shut down the computer, and turn off the power. Wait 30 seconds and then
restart it.

CAUTION: This step is very important. Reinfection will occur if this is not
followed.

Allow it to start normally. If any files are detected as infected,
quarantine them. Some of the files that you may find are Luall.exe,
Rescue32.exe, and Nmain.exe.

8. Reinstall NAV
1. Reinstall NAV from the installation CD.
2. Start Norton AntiVirus (NAV), and make sure that NAV is configured to
scan all files. For instructions on how to do this, read the document How to
configure Norton AntiVirus to scan all files.
3. Run a full system scan. Quarantine any files that are detected as
infected.

9. Restart the computer and scan again
Restart the computer, and run another scan to make sure that all traces of
the infection have been removed.

Revision History:

January 17, 2002: Revised Technical Description to include analysis of the
worm.
January 18, 2002:
Added payload information regarding overwriting files with zeros on the 6th
of each month. On Jan 6 and Jul 6 this payload affects all files.
Provided list of antivirus product database files which be deleted
Added specific name for W32.Elkern.3587, the virus dropped by the worm
Added filename extension for email Attachment
March 6, 2002: Upgrade to Level 3 based on number of submissions

Aumentar!
Onward,
-----------------------------------------------------
      Ziana Astralos GCS/MC/IT/L/O d- s-:- a?
    ziana@extrotech.net C++++ UL P+ L+ W+++ N+
                           K++ w+ M-- PS+++ PE Y+
         T.E.C.H. PGP-- t+@ 5++ X R tv+
 http://www.extrotech.net b+++ DI++++ D+ G++ UF+
-----------------------------------------------------
__________________________________________
Launch your own web site Today!
Create a Web site for your family,
friends, photos, or a special event.
Visit: http://www.namezero.com/sitebuilder



This archive was generated by hypermail 2.1.5 : Sat Nov 02 2002 - 09:13:07 MST