Virus Attack

[ken008]

I noticed a lot of activity on my modem connection this morning. It was sending and recieving constantly. I shut down internet connection sharing on my network. I t continued I then shut down all running programs one by one until I had the bare minimum. The activity continued. I installed Norton and scanned for viruses, nothing found but the activity continued. I updated the virus definitions then scanned, it found five infected files. I quarentied them and everything is cool so far. These viruses were set to go off yesterday I think. You guys might want to run a scan with the latest definitions. Anyone else finding any? Edit It found five files with W32KLEZ.H@MM and one with W32 OPASERV E WORM. Can these spread through a network?

 

[mechBgon]

I have a work fleet of about 75 systems, haven't had any tip up there. DATs are checked hourly, HDDs are scanned daily.

 

[ViRGE]

Ken, do you know what virus it was?

 

[Robor]

I was off today but a friend told me a guy at my site ran some "greeting card" virus. He prevented it from spreading but didn't do the total removal. I'll know more tomorrow morning.

 

[RemyCanad]

The Kelz worm sends e-mails to all the people in your address book. Our school had a runin with virus and it was a pain. By the time they finally told me it was there any they wanted it removed it had spread to almost every machine. Well lets just say now all the machine have antivirus and run daily scans. Well that is the PCs the Macs had no problems.

 

[ken008]

Does it spread the virus through the Emails?

 

[Robor]

Originally posted by: RemyCanad
The Kelz worm sends e-mails to all the people in your address book. Our school had a runin with virus and it was a pain. By the time they finally told me it was there any they wanted it removed it had spread to almost every machine. Well lets just say now all the machine have antivirus and run daily scans. Well that is the PCs the Macs had no problems.

Of course the Macs had no problems. How many viruses are written to target Macs? Very few. Why? They're a *very* small overall percentage.

 

[mechBgon]

Sounds like the "worm-that-isn't-a-worm" described here. I take back what I said, we did have one person open one of these greeting card things.

Supposedly they're not a real worm, you have to agree to the EULA in which you explicitly grant permission for the blasted thing to email all your contacts. How it proceeds from the original person who agrees to the EULA isn't quite clear, but my user said all he did was open the email sent to him, and McAfee started prompting him: "A program is trying to send email, do you want to allow it?" and he kept saying No, No, No, No to the dialogue boxes. I really need to get ePolicy Orchestrator to work, so I can add the various URL's to the blocked-URL list (we don't have a proxy to intercept that stuff).

 

[Robor]

My co-worker told me the same. Sounds like they guy where I work infected himself despite answering yes to several "are you a dumbass?" prompts. I understand that not everyone is a computer expert but how important is that greeting card?

/me sighs and considers this job security in an un-jobsecure world.

 

[RemyCanad]

They have to have their greeting cards just like they have to run webshots desktop.

 

[ken008]

I remember a scenario like that. I responded to a porn Email next thing I knew dozens of windows opened. Can`t kill them fast enough. Must use Ctr ALT DEL to get to them. And that is on dialup. In my flurry to kill I may have said yes to one of these. I am at home though. I am permitted. I got it backwards in my first post. 5 worms 1 KLEZ . Honest, I will send them to you if you don`t believe me to prove it.

 

[RaySun2Be]

Ken008, no need to send them to me, I believe you. I worked on a friend's PC last week infected by the Klez virus. They were complaining that they were getting tons of undeliverable email messages and they hadn't sent them out. And their ISP connection blocks porn sites, so it had to be a card greeting email. :|

They had Norton anti-virus, but they never subscribed for the updates, so it was way out of date. Plus Klez had disabled it from running.

I downloaded the FIXKLEZ.EXE from Symantec support, cleaned out Klez, uninstalled Norton, installed AVG anti-virus, updated the virus definitions, and ran a full scan, to make sure the PC was clean.

IIRC, they had 33 files infected with the Klez virus.

I've got a CD burned with all the Symantec virus cleaner programs they have, and there are quite a few.

I always recommend updating the anti-virus files before running a full scan if one hasn't done so in awhile.

 

[ken008]

Did these messages show up in Outlook sent messages? I have none. Or they just steal the addresses?

 

[mechBgon]

They steal the email addresses but use their own SMTP engine, IIRC. Your Outlook's Sent Items folder is probably not going to show them. Doesn't that make you " :| "?! Sneaky underhanded ways to get email addys to sell, is my guess as to their real motive. Spam is the work of the devil, I tell ya!

 

[ken008]

The really sad part is that with a firewall and antivirus running this rig is pretty worthless for D2OL. SETI maybe. Have to dedicate a rig just for security.

 

[ken008]

Sounds a lot like a chain letter scam. Are they using my bandwidth to send these letters?

 

[Eponymous]

How can you tell if Norton has been disabled?

Is it obvious, like it isn't running any more, or subtle like the icon is there and it says its working but doesn't really...

Do I need to download something to check it?

 

[RaySun2Be]

Originally posted by: Eponymous
How can you tell if Norton has been disabled?

Is it obvious, like it isn't running any more, or subtle like the icon is there and it says its working but doesn't really...

Do I need to download something to check it?

IIRC, trying to scan the HD with Norton wouldn't run, some message about (core1) being missing. AVG installed showed in the systray, but certain features were disabled, and when you enabled them, they would be disabled again. And the scan aborted with a (core3) not found message.

I had to boot into safe mode and run the FIXKLEZ.EXE program from Symantec to clean out the virus, then install AVG and update the ant-virus files.

You can get Symantec's Virus Removal Tools HERE

I knew the PC was at least infected with the KLEZ virus, because they had gotten a response email from yahoo, or someone that stated the email sent was infected with the KLEZ virus.

 

[LANMAN]

Norton Corportate baby!!! Oh.. ya...

Definitions daily, and systems scans every 24 hours.


Ken008,

Ever thought of upgrading to Norton 2003 with the auto-update funtion?

--LANMAN

 

[RaySun2Be]

Lanman, I agree, Norton Coporate is an excellent product. You can manage all the desktops from the server, from installs to scans, and you can lock the user out from messing with the settings.

However, most of us don't have the $$ to afford it for home use.



I stopped using McAfee and Norton when they went to a subscriber basis to get virus update files, and I've been using the free version of AVG ever since, with good results.

 

[Robor]

The virus I had to deal with was "W32.Friendgreet.worm". You can find more about it HERE. Lots of safe mode and registry delete fun!

Notice that the 2 "accept license agreements" state exactly what the work will do? Yet the user *still* allowed it to happen!

I said it before and I'll say it again... Job security!

 

[Assimilator1]

ken008
For info about the OPASERV virus go here.
And yes it does spread via networks.
1 PC at my place has it (the user reported it to help desk over a week ago & they said keep using it for now until they sort it out!

,he's till got it!:disgust: ).Of course I could of fixed it myself back then but its not my job (I'm the mechanic there)

 

[Wiz]

KLEZ searches for valid addresses on your system and sends itself out FROM one of those addresses TO other valid addresses.
So it spoofs the FROM address and tries to send itself through that persons SMTP server.
I could show you hundreds of these blocked every day on my email server where someone infected is trying to send out KLEZ as though they were me.
The telltale is that even though it says it is coming from my email address the IP address it is coming from is not mine.
This worm has spread amazingly and very successfully, it does not leave much of a trail of itself on the infected computer but you will notice a lot of bandwidth being used while you are not doing anything.