Arg. 'klez' worm.
Merkaba
Digital Harmony Join Date: 2002-01-24 Member: 22Members, Retired Developer, NS1 Playtester
Digital Harmony Join Date: 2002-01-24 Member: 22Members, Retired Developer, NS1 Playtester
in Off-Topic
Some ###### has sent me a Klez Worm via E-Mail and now I can't get rid of the affected file, 'Winkgz.exe' in WINNT/System32/. Windows prevents me from touching it, and the task manager says its always in operation (And I can't end the process either.)
I have a trojan cleaner, 'The Cleaner 3.5', but that does jack ####. It SAYS it cleans the file but it really can't touch the thing. I can't do anything about this file whilst windows is operating, it seems...yet it's the only OS I have.
How did I get this worm you ask? Bloody Outlook Express took it apon itself to download and run ####### attached .txt files, and I can't find an option anywhere to tell it NOT to...I'm guessing this is a fault in this Outlook version, and I should check for windows updates. (Thus meaning having to set aside 8 hours of time so that it can download the updates on my crappy connection.)
This is really bugging me. The only noticable change so far is that it seemed to delete my trillian.exe, and now Trillian won't even run at all, even after reinstalling it.
Am I doomed?
I have a trojan cleaner, 'The Cleaner 3.5', but that does jack ####. It SAYS it cleans the file but it really can't touch the thing. I can't do anything about this file whilst windows is operating, it seems...yet it's the only OS I have.
How did I get this worm you ask? Bloody Outlook Express took it apon itself to download and run ####### attached .txt files, and I can't find an option anywhere to tell it NOT to...I'm guessing this is a fault in this Outlook version, and I should check for windows updates. (Thus meaning having to set aside 8 hours of time so that it can download the updates on my crappy connection.)
This is really bugging me. The only noticable change so far is that it seemed to delete my trillian.exe, and now Trillian won't even run at all, even after reinstalling it.
Am I doomed?
Comments
Any idea why Outlook Express would do that? It's never done it to me before, and I've had plenty of trojan mails before - I've just never downloaded them. Suddenly Outlook Express seems to do it automatically.
Also, if there any way to see how much damage the worm might have caused? Or shall I just have to find out the hard way?
<a href="http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.removal.tool.html" target="_blank">Klez Removal</a>
Download the util, follow the steps they outline to make sure you are really getting all traces removed. Once cleaned, you may need to reinstall some things, but we'll use the klez log to determine what.
<!--EDIT|MonsieurEvil|Oct. 14 2002,11:33-->
Learn to fix the problem, not just throw up your hands and surrender.
Guy 1: 'Hey, my car's muffler has a leak.'
Guy 2: 'D0000ddd, mufflers always leak and suck and break. They never work right. You should get a hang glider!!!'
Then if you have IE6 (and hence Outlook Express 6), go to Tools->Options...->Security Tab and check "Do not allow attatchments to be saved or open that could potentially be a virus." This makes it so IE will not open attatchments with most extensions (including .zip). When you are expecting an attatchment then just come back here and uncheck it to let Outlook let you have it. Also you prolly wanna make sure the Zone is set to Restricted while you are on this tab.
Also, and this is just something that I do, unless I am expecting an attatchment from someone, every time I get an email with a paperclip icon (that means it has an attatchment) I right click on the message and go to Properties->Details tab and click "Message Source..." this brings up a notepad-like window where you view the raw ascii of the email, headers and all. most of it is garbage that won't mean a thing to you but you can read the contents of the mail without any worry of a virus, and more importantly, you can scroll down to where the attatchment starts and you can see the filename of the attatchment without ever opening the thing. If it looks suspicious, delete the message w/o ever opening it. Better to err on the side of precaution I say...
Good luck to you in ridding your computer of the hax0rs. And if worse comes to worse, don't forget, almost nobody programs viruses anymore that a good old FDISK won't cure :P
<!--EDIT|DOOManiac|Oct. 14 2002,20:13-->
...Mostly. We've had a Nimda breakout here, at least that's what Norton identifies it as before all of its VXDs get nuked or deleted and the virus inserts itself into the BIOS. Whee, fun. It gets on the bootdisks that we use to kill it, too, so we have to throw them out after using them. It's a monster, and while we can handle it, we're going to throw out a lot of floppy disks.
Apparently, the virus came from a Dell GX110 Faculty Desktop that had it festering on its drive for a year, with the power on but not connected to any network. I guess this kind of behaviour is in the original Nimda code, just under some sort of time-lock.... anyway, if this little bugger shows up around your neck of the woods, unplug your computer's internet connection and you'll save yourself a lot of trouble.
Or use Linux. Nimda doesn't affect Linux.
Seconded. Get a new comp.
J/k
Aaah!
Oh, just a dream...*whew*
Nonsense, nobody is surrendering. Why should I waste my time with a crappy program from a company that just doesn't get how to do things right when superior programs are available for free? I didn't have to "update" my email client with "security fixes" even once because SOME programmers actually think about security issues BEFORE they release a program.
<a href="http://www.howstuffworks.com/virus1.htm" target="_blank">How Viruses Work!</a>
And I'm considering ditching my fairly old and oft-broken computer in favour of a small scientific non-programmable Pokémon calculator watch, rather than fixing the machine again. If someone can help me decide between Pikachu and Squirtle, it would be much appreciated.
<!--EDIT|MonsieurEvil|Oct. 17 2002,11:07-->