Beth
New Member
Klez worm may be a job request from a Chinese programmer
Message contained within the worm itself says "now you have seen my technical abilities" then asks for help supporting the author's family.
The Klez worm appears to come from Asia, possibly the Guangdong province of China where Code Red is thought to have originated, and carries a plea directed at the IT community--the virus writer appears to be soliciting a job. This unsophisticated worm comes bundled with a minor Windows 98 and Me infector virus called ElKern (w95.elkern.cav). Klez (w32.klez@mm) is just an e-mail annoyance and is not known to damage files on an infected system, so it ranks a 4 on the ZDNet Virus Meter.
How it works
Klez arrives as e-mail from multiple senders, with multiple subject lines. Known senders include:
king@21cn.com
flag@21cn.com
super@21cn.com
zhangcheng77@online.sh.cn
broused@online.sh.cn
lbhuangsy@21cn.com
kqlbaby@21cn.com
jiemin@citiz.net
feiyiming@citiz.net
lllwww@online.sh.cn
tomyjiang18@21cn.com
luxianchu@21cn.com
kqlbaby@21cn.comlin
yuezhi@citiz.net
zhangcheng77@online.sh.cn
zbzwy@21cn.com
sarge2010@21cn.com
Known subject lines include:
Hello
How are you?
Can you help me?
We want peace
Where will you go?
Congratulations
Don't cry
Look at the pretty
Some advice on your shortcoming
Free XXX Pictures
A free hot porn site
Why don't you reply to me?
How about have dinner with me together?
Never kiss a stranger
The body text of Klez is an appeal from the virus writer:
I'm sorry to do so, but it's helpless to say sorry. I want a good job, I must support my parents. Now you have seen my technical capabilities. How much my year-salary now? NO more than $5,500. What do you think of this fact? Don't call my names, I have no hostility. Can you help me?
Klez includes an attachment that has a random filename.
This worm is able to launch itself automatically on some systems using Outlook and Internet Explorer 5.0 or 5.01. Klez takes advantage of the Incorrect MIME Header vulnerability, which Microsoft patched last spring. Users who have not downloaded the patch or upgraded to a more recent version of Internet Explorer should do so.
If the recipient opens the attached file, Klez makes copies of itself with a double extension, such as .txt.exe, in root directories of local and network drives.
Removal
Almost all the antivirus software companies have updated their signature files to include this worm. For more information on removing Klez from your system, see F-Secure, McAfee, Sophos, and Trend Micro.
Message contained within the worm itself says "now you have seen my technical abilities" then asks for help supporting the author's family.
The Klez worm appears to come from Asia, possibly the Guangdong province of China where Code Red is thought to have originated, and carries a plea directed at the IT community--the virus writer appears to be soliciting a job. This unsophisticated worm comes bundled with a minor Windows 98 and Me infector virus called ElKern (w95.elkern.cav). Klez (w32.klez@mm) is just an e-mail annoyance and is not known to damage files on an infected system, so it ranks a 4 on the ZDNet Virus Meter.
How it works
Klez arrives as e-mail from multiple senders, with multiple subject lines. Known senders include:
king@21cn.com
flag@21cn.com
super@21cn.com
zhangcheng77@online.sh.cn
broused@online.sh.cn
lbhuangsy@21cn.com
kqlbaby@21cn.com
jiemin@citiz.net
feiyiming@citiz.net
lllwww@online.sh.cn
tomyjiang18@21cn.com
luxianchu@21cn.com
kqlbaby@21cn.comlin
yuezhi@citiz.net
zhangcheng77@online.sh.cn
zbzwy@21cn.com
sarge2010@21cn.com
Known subject lines include:
Hello
How are you?
Can you help me?
We want peace
Where will you go?
Congratulations
Don't cry
Look at the pretty
Some advice on your shortcoming
Free XXX Pictures
A free hot porn site
Why don't you reply to me?
How about have dinner with me together?
Never kiss a stranger
The body text of Klez is an appeal from the virus writer:
I'm sorry to do so, but it's helpless to say sorry. I want a good job, I must support my parents. Now you have seen my technical capabilities. How much my year-salary now? NO more than $5,500. What do you think of this fact? Don't call my names, I have no hostility. Can you help me?
Klez includes an attachment that has a random filename.
This worm is able to launch itself automatically on some systems using Outlook and Internet Explorer 5.0 or 5.01. Klez takes advantage of the Incorrect MIME Header vulnerability, which Microsoft patched last spring. Users who have not downloaded the patch or upgraded to a more recent version of Internet Explorer should do so.
If the recipient opens the attached file, Klez makes copies of itself with a double extension, such as .txt.exe, in root directories of local and network drives.
Removal
Almost all the antivirus software companies have updated their signature files to include this worm. For more information on removing Klez from your system, see F-Secure, McAfee, Sophos, and Trend Micro.