Posted by John Biggers Upon execution, it drops files and creates an entry in the AutoRun key of the system registry and then infects .EXE files. It encrypts (compresses) its target files and then modifies the file extension of these with a random name. It also sets the attributes of its encrypted files to Read-only, Hidden, System, and Archive. Thereafter, this worm copies itself to the original file name of the infected file. This worm makes sure that its file size is the same as that of the infected file. To do this, it pads garbage data at the end of the infected file. It does not perform its antivirus retaliation routine on machines running Windows NT 4.0 or lower. Windows NT 4.0 or lower do not have system functions or the Application Program Interface (API) that this worm uses to kill antivirus-related processes. So if your anti-virus software is not up-to-date, I really suggest going to the homepage of your antivirus software maker and get an update. John
on 1/18/2003, 4:15 pm
The computer virus WORM_KLEZ.H and WORM_KLEZ.E activity has seemed to me to be fairly heavy recently. This description of the virus comes from Trend Micro:
This memory-resident variant of the WORM_KLEZ.A mass-mailing worm uses SMTP to propagate via email. The subject line of the email it arrives with is randomly selected from a list of possible choices.
Message Thread:
« Back to thread