Klez.H
virus
More
Information:
http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.h@mm.html
Win32.Klez.H
is a mass mailing, network aware worm that spreads by using
SMTP and through taking advantage of open network shares.
In addition, it drops a polymorphic file infector virus into
the Program Files directory. The body of the message may be
constructed from a list of phrases inside the virus. Each
message contains HTML code which exploits the "Incorrect MIME
Header" vulnerability in Internet Explorer, Outlook and Outlook
Express. If successful, the e-mail attachment will be opened
on viewing the message, without the user's knowledge.
For
more information on this vulnerability, see:
http://www.microsoft.com/technet/security/bulletin/ms01-020.asp
The
attachment names vary as they are randomly generated. To see
more information visit Technical
Details
.exe
.scr
.pif
.bat
Klez.H
uses a variety of Subject lines that can include a number
of words and phrases: Please refer to: Technical
Details
The
Subject line may also include the name of the recipient.
The message body can be randomly constructed or in some cases
left empty. For a sample list that contains words and phrases
that may be used to construct the message body, please
refer to: Technical
Details.
Klez.H
may use address 'spoofing' to make the e-mail it sends appear
as if it has come from another machine. It uses addresses
that it locates in the infected system to display in the "From"
line of the e-mail. Further information may be obtained from
Technical
Details.
Removal
tool:
Symantec has provided a tool to remove infections of all known
variants of W32.Klez and W32.ElKern. Click
here to obtain the tool.
This is the easiest way to remove these threats and should
be tried first.
|
