[CQ-Contest] The KLEZ virus and contesters

Bob Naumann - N5NJ n5nj at gte.net
Fri May 3 07:37:29 EDT 2002


For several weeks, I have been receiving emails telling me that my email
address is sending out virus-laden emails.  In fact, my computer is not
sending them, but another computer infected with a virus, likely belonging
to a contester, is sending out emails and using email addresses from all
over that computer to 'spoof' many email addresses, including mine as the
"from" address.  Many of the addresses I see being spoofed belong to other
contesters.  Also, the subject lines of the messages include things like "VA
QSO PARTY" which tells me it has to be from a contester's computer.

Everyone should be running a virus protection program on their computers.
If you are not, you are likely to be infected already by one or more of
these email based viruses.  Please, please obtain a virus scanner/monitor
program for your computer.  There are many available and some are even free.
Part of the responsible way to run a "connected" computer is having virus
protection, and updating it frequently with the data that enables it to
continue to protect your computer.  These updates are often called
"signature files".

In addition to running and properly maintaining a virus protection program,
a utility is available that can assist in detecting and repairing the
infection from the KLEZ virus(as well as some others).

The program is called "Kleztool.com" and you can download it from the
contesting.com website in the file libraries at this address:

http://www.contesting.com/libraries/Utilities

After you unzip the program,  issue the following command at the dos window
prompt:
(Don't shut down Windows.)

KLEZTOOL /scanfiles

It will scan your entire hard drive and will report if it finds any infected
files.

Here's the technical stuff on what it does:
***************************************************************************
  Utility for cleaning infection by:
   I-Worm.BleBla.b
   I-Worm.Navidad
   I-Worm.Sircam
   I-Worm.Goner
   I-Worm.Klez.a
   I-Worm.Klez.e(f,h)
 Version 4.0.1 Copyright (C) Kaspersky Lab 2000-2002. All rights reserved.
***************************************************************************
Command line:
 /scanfiles - to force scaning of hard drives. Program will scan hard
  drive for I-Worm.Klez.a(e,f,h) infection in any case.
 /netscan - include scaning of mapped network drives.
 /y - end program without pressing any key.
 /i - show command line info.
Return codes:
 0 - nothing to clean
 1 - virus was deleted and system restored
 2 - to finilize removal of virus you shold reboot system
 3 - to finilize removal of virus you shold reboot system and start
  program the second time
 4 - programm error.
***************************************************************************

I-Worm.BleBla.b
---------------
 If program find HKEY_CLASSES_ROOT\rnjfile key in registry it:
delete registry keys
 HKEY_CLASSES_ROOT\rnjfile
 HKEY_CLASSES_ROOT\.lha
repair registry key to default value
 HKEY_CLASSES_ROOT\.jpg to jpegfile
 HKEY_CLASSES_ROOT\.jpeg to jpegfile
 HKEY_CLASSES_ROOT\.jpe to jpegfile
 HKEY_CLASSES_ROOT\.bmp to Paint.Picture
 HKEY_CLASSES_ROOT\.gif to giffile
 HKEY_CLASSES_ROOT\.avi to avifile
 HKEY_CLASSES_ROOT\.mpg to mpegfile
 HKEY_CLASSES_ROOT\.mpeg to mpegfile
 HKEY_CLASSES_ROOT\.mp2 to mpegfile
 HKEY_CLASSES_ROOT\.wmf to empty
 HKEY_CLASSES_ROOT\.wma to wmafile
 HKEY_CLASSES_ROOT\.wmv to wmvfile
 HKEY_CLASSES_ROOT\.mp3 to mp3file
 HKEY_CLASSES_ROOT\.vqf to empty
 HKEY_CLASSES_ROOT\.doc to word.document.8 or wordpad.document.1
 HKEY_CLASSES_ROOT\.xls to excel.sheet.8
 HKEY_CLASSES_ROOT\.zip to winzip
 HKEY_CLASSES_ROOT\.rar to winrar
 HKEY_CLASSES_ROOT\.arj to archivefile or winzip
 HKEY_CLASSES_ROOT\.reg to regfile
 HKEY_CLASSES_ROOT\.exe to exefile
try to delete file
 c:\\windows\\sysrnj.exe

I-Worm.Navidad
--------------
 If program find HKEY_CURRENT_USER\Software\Navidad,
HKEY_CURRENT_USER\Software\xxxxmas or HKEY_CURRENT_USER\Software\Emanuel key
in registry it:
delete registry keys
 HKEY_CURRENT_USER\Software\Navidad
 HKEY_CURRENT_USER\Software\xxxxmas
 HKEY_CURRENT_USER\Software\Emanuel
 SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run
   Win32BaseServiceMOD
repair registry key to default value
 HKEY_CLASSES_ROOT\exefile\shell\open\command to "%1" %*
try to delete file
 winsvrc.vxd
 winfile.vxd
 wintask.exe

I-Worm.Sircam
-------------
 If program find HKEY_LOCAL_MACHINE\Software\SirCam key in registry,
"@win \recycled\sirc32.exe" in autoexec.bat or \windows\run32.exe and
\windows\rundll32.exe was created on Delphi it:
delete registry keys
 HKEY_LOCAL_MACHINE\Software\SirCam
 Software\\Microsoft\\Windows\\CurrentVersion\\RunServices
   Driver32
repair registry key to default value
 HKEY_CLASSES_ROOT\exefile\shell\open\command to "%1" %*
try to delete file
 %Windows drive%:\RECYCLED\SirC32.exe
 %Windows directory%\ScMx32.exe
 %Windows system directory%\SCam32.exe
 %Windows startup directory%\"Microsoft Internet Office.exe"
 %Windows drive%:\windows\rundll32.exe
try to rename files
 %Windows drive%:\windows\Run32.exe to
   %Windows drive%:\windows\RunDll32.exe
try to repair files
 autoexec.bat

 In case program can not delete or rename any files (it may be used at
that moment) it set these files to queue to delete or rename during bootup
process and offer user to reboot system.

I-Worm.Goner
------------
 If gone.scr process exist in memory, program will try to stop it.
 if file %Windows system directory%\gone.scr exist on hard drive,
program will try to delete it.
 If program find %Windows system directory%\gone.scr key in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run of system
registry, it will delete this key.

I-Worm.Klez.a, I-Worm.Klez.e, I-Worm.Klez.f, I-Worm.Klez.h
----------------------------------------------------------
 If program find next processes in memory:
  Krn132.exe
  WQK.exe
or any processes, infected by I-Worm.Klez.e, I-Worm.Klez.f, I-Worm.Klez.h
and
I-Worm.Klez.a virus, it will stop them and delete their files from hard
drive
and links to their files from system registry.
 If program find that WQK.DLL library has been loaded by any processes
it will rename file of this library and will remove it after system reboot.
In case program find such library in memory of your PC you should reboot
your
PC when program finish and start it the second time after reboot to clean
your
system registry.
 If program find any infected processes in memory it will start scan of
your hard drive (and all mapped network drives if you specify /netscan in
command line). It will check only I-Worm.Klez.e, I-Worm.Klez.f,
I-Worm.Klez.h
and I-Worm.Klez.a infection.
 If you specify /scanfiles key in command line program will scan your
hard drive (and all mapped network drives if you specify /netscan) in all
cases.






More information about the CQ-Contest mailing list