Off Topic
John Farrington
jfarr at LIVINGSTON.NET
Mon Jul 8 19:17:45 EDT 2002
At 04:19 PM 07/08/2002, K1TLV wrote on the Heath list:
>Since Thursday, 7/4, my Norton Anti-virus has blocked at least 10
>'virus attacks'. Has anyone experienced similar warnings?
>It has been months since any previous attempts.
>
>jd, K1TLV
>
>John Diefenbach, K1TLV
>Mason, NH
Only 10? You must be a recluse.
I don't know if this new (April) worm from Asia is the one you're getting,
but it's called Klez-H (W32/Klez.H at mm) and is a variant of an older
Klez worm; it's spreading rapidly by E-mail or network sharing, as it has
the ability to disable many commercial anti-virus programs. I checked a
friend's PC recently, and there were 65 infected E-mail attachments on it,
all with this new worm, despite the presence of a Norton anti-virus program
which was only 4 months old.
The slimeball who wrote the worm was brazen enough to include a hidden
(does not display on a victim's PC) text file giggling about it in bad
English, which you can read along with a description and illustrations on
F-Secure's site at:
http://www.f-secure.com/v-descs/klez_h.shtml
F-Secure also has a stand-alone downloadable tool which they say will remove
the worm, but I have no idea how well it works.
Various other anti-virus sites have descriptions & removal information on
this worm; Symantec's is at:
<http://securityresponse.symantec.com/avcenter/venc/data/pf/w32.klez.h@mm.html>
They also have a downloadable tool to remove it; you should carefullly read
all the instructions (on another page) because it's complicated to remove
manually if the tool doesn't work - you have to locate a bunch of files and
edit the Windows Registry. If some legitimate files were damaged, they have
to be re-installed from your original program CDROMs. If your anti-virus
program was disabled by this worm, then you also have to re-install it and
download the latest updates.
The Sophos site has a somewhat differing write-up, including a section on
the number of anti-virus programs that this Klez worm attempts to disable.
(Their removal method is not a stand-alone - it requires that you have their
a/v program.)
http://www.sophos.com/virusinfo/analyses/w32klezh.html
73
John
-----------------------------------------------------------
This list is a public service of the City of Tempe, Arizona
-----------------------------------------------------------
Subscription control - http://www.tempe.gov/lists/control.asp?list=HEATH
To post - HEATH at LISTSERV.TEMPE.GOV
Archives - http://interactive.tempe.gov/archives/HEATH.html
More information about the Heath
mailing list