Product Support Services - Moderate Security Alert - Virus Alert: Klez-E 
Author Message
 Product Support Services - Moderate Security Alert - Virus Alert: Klez-E

PSS Security Response Team Alert - Virus Alert: Klez-E

SEVERITY: MODERATE REACTIVE

DATE: 1/17/2002

PRODUCTS AFFECTED: Outlook 2000 pre-SR1, Outlook Express, Web-Based Email

**********************************************************************

WHAT IS IT?  Klez is a mass-mailing e-mail worm virus that copies itself to
network shares and distributes itself to all address book entries in the
Outlook Address Book of affected computers.  Klez uses a vulnerability that
is patched by MS01-027 to automatically launch without prompting when a user
opens or previews the message.  Klez also drops another virus as its
payload.

IMPACT OF ATTACK:  Deletion of program files, mass mailing, and additional
virus payload infection.

TECHNICAL DETAILS:

The e-mail message that carries Klez arrives with a standard subject line
that is either randomly chosen by the virus from a list that it maintains or
is completely random. The text that the virus inserts in the message can
also be random.  The attachment file type is randomly chosen from the
following list of file types:

.pif, .scr, .exe or .bat

Klez will attempt to delete certain files that are associated with antivirus
programs, copy itself to network shares, and mass mail itself to all entries
in the Outlook Address Book.  Klez makes use of a product vulnerability
(that is fixed by MS01-027) to automatically launch when the e-mail message
is opened or previewed.

It will also drop an additional virus payload known as El-Kern-B. This virus
is believed to be a variant of the El-Kern-A virus.  This virus has the
following behavior: infection over a LAN or other network, and overwriting
contents of files on an infected computer to make Windows and some programs
unable to run. It is possibly triggered on a certain date or when you
restart your computer.

Please contact your Antivirus Vendor for additional details on this virus.

PREVENTION:

If you are using Outlook 2000 pre-SR1, you should install the Outlook E-mail
Security Update by using the link that is provided later in this alert, to
prevent this and the majority of other e-mail-borne viruses from running.
Outlook 2000 post-SR1 and Outlook XP already contain the functionality that
is contained in the Outlook E-mail Security Update.

http://www.*-*-*.com/

You should also apply the patch for MS01-027 by using the link that is
provided later in this alert, if you are using Internet Explorer 5.01 SP1 or
Internet Explorer 5.5 SP1.

Home Users/Consumers should visit http://www.*-*-*.com/ to
update their computers, and should download the Outlook E-mail Security
Update if they are using Outlook 2000 pre-SR1 or Outlook 98.

http://www.*-*-*.com/

RECOVERY:

If your computer is infected with this virus, update your virus signature
files to detect and remove the virus, and then follow your antivirus vendor'
s instructions for removal. Reinstallation of Windows or some programs,
including antivirus software, may be necessary.

RELATED KB'S:

http://www.*-*-*.com/ ;EN-US;q316658

RELATED MICROSOFT SECURITY BULLETINS:

http://www.*-*-*.com/

As always please make sure to use the latest Anti-Virus detection from your
Anti-Virus vendor to detect new viruses and their variants.

If you have any questions regarding this alert please contact your Microsoft
representative or 1-866-727-7338 (1-866-PCSafety) within the US, outside of
the US please contact your local Microsoft Subsidiary.

PSS Security Response Team

--
Regards,

Jerry Bryant - MCSE, MCDBA
Microsoft IT Communities

Get Secure! www.microsoft.com/security

This posting is provided "AS IS" with no warranties, and confers no rights.



Tue, 06 Jul 2004 22:21:27 GMT  
 
 [ 1 post ] 

 Relevant Pages 

1. Premier - Product Support Services - Moderate Security Alert - Virus: Gigger/JS.Gigger.A@mm

2. Product Support Services - Moderate Security Alert - Virus: W32.Myparty@mm

3. PSS Moderate Security Alert - New Worm: W32.Fizzer.A@mm

4. Virus Alert -- bogus Microsoft Security Patch [hd_const@cox.net]

5. Klez F alert.

6. New Security Alert from Microsoft

7. PSS Security Alert - W32/Palyh@MM

8. PSS Security Alert - JS/Exploit-Messenger

9. EMAIL VIRUS ALERT

10. Virus Alert

11. Virus alert

12. Virus alert - I just got 3 mails w/ this, norton caught it

 

 
Powered by phpBB® Forum Software