IWS - The Information Warfare Site
News Watch Make a donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

ALERT 02-002

"Propagation of the W32/Klez.h@mm Worm and Variants"
April 26, 2002


The National Infrastructure Protection Center (NIPC) continues to monitor a mass-mailing worm called Klez.h. The NIPC is issuing this alert due to information received from industry partners, combined with the striking number of infections reported in the wild during the last forty-eight hours. Klez.h spoofs an e-mail address found on the intended victim's system and may appear to have been sent from a familiar party. It has over 100 randomly selected subject lines, and uses several different file attachment names when attaching itself. The worm also masquerades as a "Klez.E immunity tool" with the subject line "Worm Klez.E Immunity". The worm also attempts to disable common anti-virus scanning programs such as McAfee, Antivir, Norton, Scan, AVConsol, F-Secure, Sophos and others.

Klez.h also infects the victim machine with the Elkern virus which may be detected as NGVCK.a. The Elkern virus randomly infects executable files on the local machine and network shares and replaces the contents of these files with random characters to maintain the original file size. This will cause most systems to crash and at the very least destroy critical operating system files.

Users are strongly encouraged to update their anti-virus signatures and visit the following Microsoft web sites for the appropriate patches for Outlook and Internet Explorer 5.x:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q262631

The anti-virus software industry is aware of Klez.h and has signature files to detect and remove it from infected hosts. Full descriptions and removal instructions are located at the following anti-virus web sites:

F-Secure Corp.
http://www.f-secure.com/v-descs/klez_h.shtml

Network Associates Inc./McAfee.com
http://vil.mcafee.com/dispVirus.asp?virus_k=99455

Symantec Corp.
http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.h@mm.html

Trend Micro Inc.
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_KLEZ.H

As always, the NIPC encourages computer users to keep anti-virus and systems software current by
frequently checking vendor web sites for updates, and routinely checking for alerts issued by the
NIPC, FedCIRC, CERT/CC, and similar organizations.

The NIPC encourages recipients of this alert to report computer intrusions to their local FBI office http://www.fbi.gov/contact/fo/fo.htm or the NIPC, and to other appropriate authorities. Recipients may report incidents online at http://www.nipc.gov/incident/cirr.htm, and can reach the NIPC Watch and Warning Unit at (202) 323-3205, 1-888-585-9078 or nipc.watch@fbi.gov.