924Board.org

[Joes924]

yup- the worm klez.h .- Joe

never looked into protection untill now I bought
a program to prevent this sort of thing
viruses suck

[ This Message was edited by: joes924 on 2002-05-19 09:53 ]

[Diesel]

It's making the rounds, I got it from a bunch of people on this board and from what Vince Ponz says, my computer is sending it to people in my address book. This is with up to date Norton anti-virus too.

[wdb]

to clean up your puter and fix whatever a virus does, scans your hardrive on line.go to pc-cillin.click link SCAN WITHOUT REGISTERING and AUTOFIX takes about 20 minites, a little longer for large full hard drives
http://housecall.antivirus.com/pc_housecall/
works so well I dont even run my antivirus software ( it slows down my puter- checks everything for viruses) i scan my puter once a week or so.

[Joes924]

I got pc-cillin Oh deisel I got the pet cd today Thanks.Joe

[ This Message was edited by: Joes924 on 2002-05-19 09:55 ]

[marky522]

IF you guys want a extra level of protection and like using pc-cillin go to staples and ask for the staples brand antivirus, it is the pc-cillin, but you also get a one year gaurontee that if you get a virus staples will pay to fix your puter!!!

Mark

[Cbass]

Sounds good, I just ran a pccillin scan today... I have 271 viruses on my machine, most of them a really ugly worm in the windows restore files, so I have to re install windows to kill them.

[larso]

I get about 10 emails each hour with the virus attached. eventually you will make a mistake in outlook express and click OK instead of cancel!!

[Joes924]

Its freezing my puter and changes files
it now wont let me run the pccillen I dont know what to do .put it in safe mode and like pcillen says delete the files deleted 51 this morning theres one in windows system that I cant delete or find using start.

[ This Message was edited by: joes924 on 2002-05-20 04:16 ]

[gohim]

My cousin got a new copy of 5.0 Juno on CD directly from Juno, because she was having me do some work on a couple of computers for her that both had boot sector viruses. I had a hard time wiping the viruses out. Both McAfee, and Norton could not detect the viruses, and the viruses disabled both anti-virus programs. Eventually I managed to get rid of the virus from one hard drive, but was forced to replace the hard drive in the other computer. In the meantime the replacement Juno 5.0 Disk arrived. I installed replacement software on both computers, and installed Juno last. As soon as the Juno Program was installed, the KLEZ Virus showed up. A cheap quicky scan of the JUNO Distribution Disk showed that KLEZ was resident on the Juno 5.0 Disk.

[wdb]

hey joe, did you do the online scan, if nothing else works ,it cant hurt. if all else fails FDISK your harddrive and reinstall your OS.

[Joes924]

I scanned and deleted 51 files the one I cant is in windows system and windows says its being used its called[ winkbh.exe] how do i f disk and reinstall
isnt that like dumping everything.. how do i go about this..I have the 98 disc and the book just dont know how to f disk

[ This Message was edited by: joes924 on 2002-05-20 05:11 ]

[marky522]

you can always delete it through DOS, then you wont get the "File In Use" Error.

Mark

[Joes924]

I did just that but used safe mode.. now ill scanner again thanks everyone

[Diesel]

This is from another board:

There's a worm going around which is causing a lot of confusion and problems for folks. The following is an overview about how it works and some ideas on how to protect yourself from it.
The worm is any one of several variants called Klez. Apparently in at least some instances it also contains a viral payload called Elkern.
The worm not only uses your address book as a source of targets to mail itself to without your knowlege, it also harvests all email addresses stored anywhere in your system. It's accessing cached pages from visited websites such as subguns.com and anyplace else you visit, and emailing itself to all of the addresses in those pages it finds. Even Symantec seems to be unaware of that ability, though I've sent them a copy of the payload I've observed doing it.

Safety tip:

Due to this, I've updated all the entries the Recommended Dealers List to include an antiharvesting device, and I recommend you do so from now on with any postings to the internet or on your personal and business web pages. This merely consists of putting something readily visible into any place in your email address, such as REMOVETHIS. For example, REMOVETHISjoe@blow.com The sender can click on the mail, it will open in the window as normal, but he must then click on the address and delete the REMOVETHIS portion or the mail will bounce back as undeliverable. It's a little more work, but you're smarter than the worm is so put it to your advantage.
You'll also be tipped off if you receive mail with an antiharvesting device in it, you'll know right away it's not a legitimate mail.
If you're planning on putting ads on the Classifieds, I recommend updating your profile to include an antiharvesting device, and modifying any ads you have existing. To edit an existing ad, first open it and try using the MODIFY THIS AD link inside the ad. If your browser won't work correctly with that, follow the instructions in this message: http://subguns.biggerhammer.net/classifieds.cgi?read=322
If you have an existing passworded ad on the Under $500 Ad Board, I'd recommend copying, deleting and then reposting it with an antiharvesting device in your email address.

What does an infected mail look like?

The worm works in this fashion; it inserts a random address from your files into the return address field so if you just click REPLY TO, you'll notify the wrong person. This also exponentially increases the chance of the target receiving an email he believes to be from a trusted party, even though that party had nothing to do with sending the email.

The attachments come with many different names, it chooses from a list. The subject of the email is also random, and often selected from text appearing near the email's location in the cached document. For instance, I've received ones which bounced back which were sent using the classifieds address and referenced Hagen Software, and ones using the subguns address which referenced "consent of Tom Bowers" (the last few words of the copyright notice). This makes it more likely the reader might associated the text with the sender and think they should open it.
Many also claim to be a patch for XP or a Klez removal tool. Don't be foolish, it's just the worm trying to suck you into installing it on your system.

How can I tell who really sent it?

If you view ALL headers, the return address there will USUALLY be right. Over the last couple days, I've found it isn't always. This may be a slightly different variant, though Norton doesn't call it anything different. Speaking of Norton, I do the live update at least once a day. It does NOT catch them all. I've been sent it in .bat, .pif, .scr and .exe formats (off the top of my head, there may be others).

An inherently unsafe mailer:

Outlook users, the default settings on your mailer will allow you to become infected without even clicking on the attachment. My recommendation is that you finally get rid of that thing AND uninstall it completely from your system. It's the most popular mail program in the world, and almost every worm written is written to exploit it.
If you cannot due to work issues or other reasons, there should be some way to keep it from auto-executing attachments, so look into it and pray.

Inherently unsafe systems:

Most systems have garbage defaults which are useful only to those wishing to exploit your system.
Your first line of defense against many worms is to turn off the Windows Scripting Host through your Control Panel. You'll typically find it in control panel/add and remove programs/windows setup/accessories. Turn off scripting in your browser as well, you don't use it for anything.
Without scripting, many worms such as Melissa and Loveletter can't use the .vbs extension and simply can't work even if you're foolish enough to click the attachment.

What else can I do to protect my system?

First, obtain and use a good antivirus program, and update it frequently. Daily updates are good if you get a lot of email.
Secondly, use your head. If you're not specifically expecting an attachment from someone, even if you know them, don't open it. It's not hard. Who cares what it is? If it's important they can send it again later. You only have to be stupid for a few thousandths of a second to cause yourself major grief and time.
So, don't be stupid. It's easier.

Too late, I'm already infected. What now?

Removal tools are available here: http://www.symantec.com

[Joes924]

I got rid of it..reformated my hardrive.