Virus Alert 

First: those of you who received a message about "jdbgmgr.exe" being a virus on your computer... It is Not!  It is a Hoax!  JDBGMGR.EXE is the Microsoft Debugger Registar for Java.  Yes it uses an icon of a bear!  Norton nor any other virus scan will pick it up....

It is not a virus. Please do not delete this file off your computer!
If you have deleted this file, please check out the following Microsoft link for update:     http://support.microsoft.com/default.aspx?scid=kb;en-us;Q322993

IF you think you received a hoax or have a question,  Please check out the following link:   http://www.hoaxbusters.com

Second, There is a serious outbreak of Worm Klez.H Virus!!  Our firewall gets hit daily!

WORM_KLEZ.H
 

Aliases:
W32/Klez-G, I-Worm.Klez.h, I-Worm.W32/Klez.gen@MM, W32.Klez.H@mm

Description:
This memory-resident variant of the WORM_KLEZ.A mass-mailing worm uses SMTP to propagate via email. The subject line of the email it arrives with is randomly selected from a list of possible choices. See Tech Details for more information.

Upon execution, it drops files and creates an entry in the AutoRun key of the system registry and then infects EXE files. It encrypts (compresses) its target files and then modifies the file extension of these with a random name. It also sets the attributes of its encrypted files to Read-only, Hidden, System, and Archive. Thereafter, this worm copies itself to the original filename of the infected file.

This worm makes sure that its filesize is the same as that of the infected file. To do this, it pads garbage data at the end of the infected file. It does not perform its Antivirus Retaliation routine on machines running Windows NT 4.0 or lower. Windows NT 4.0 or lower do not have system functions or the Application Program Interface (API) that this worm uses to kill antivirus-related processes.

1. Scan your system with Trend Micro antivirus and delete all files detected as WORM_KLEZ.H. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other email users may use HouseCall, Trend Micro's free online virus scanner.
2. Since this worm uses a vulnerability in HTTP-based email clients like Microsoft Outlook and Outlook Express, please apply the latest patches as follows:
   • Update to Internet Explorer 5.01 SP2
   • Update to IE 5.5 SP2
   • Update to IE 6.0

Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network or home PC.

WORM_KLEZ.H
(see also: description and solution)

Details:
Mass-mailing routine
To propagate copies of itself, this worm uses its own SMTP engine to send an email containing its executable program. It has several ways of collecting its spoofed source email address and target email address.

It randomly chooses its target users from the above pool of email addresses and from the email address that appear in the From field of the email.

Similar to the other KLEZ variants, this worm can change or spoof the original email address in the FROM: field. It obtains the email addresses that it places in the FROM: field from the infected user's address book. This causes a non-infected user to appear as the person who has sent this worm's malicious email. It does this to hide the real sender of the infected email. The actual email address of the sender is found in the Envelope From field. This email address is taken from the email address of the infected user’s SMTP account and this can be found in the following registry key:

HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts

Since the Envelope From field cannot be found in the email body, the only way to get this information is by monitoring Transmission Control Protocol packets.

The subject of the email it sends is composed in a complex manner.

1. The subject may contain any of the following substrings:

   how are you let's be friends darling so cool a flash,enjoy it Your password honey some questions please try again welcome to my hometown the Garden of Eden introduction on ADSL meeting notice

   questionnaire congratulations sos! japanese girl VS playboy look,my beautiful girl friend eager to see you spice girls' vocal concert japanese lass' sexy pictures Undelivarable mail-“%s” Returned mail-“%s”

   %s is a random string.

2. The subject may also be any of the following:

   a %s %s game a %s %s tool a %s %s Web site

   a %s %s patch %s removal tools

   %s can be any of the following:

   new funny nice humour excite powful WinXP IE 6.0

   W32.Elkern W32.Klez.E Symantec Mcafee F-Secure Sophos Trendmicro Kaspersky

It gathers email addresses from the entries of the default Windows Address Book (WAB). The path and filename of these are identified in the following registry entry:

HKEY_CURRENT_USER\Software\Microsoft\
WAB\WAB4\Wab File Name = “<file and pathname of the WAB file>

The worm also gathers a list of addresses from the following files that are stored on the infected user’s computer:

Upon execution, this worm decodes its data in the memory. It then copies itself to a WINK*.EXE file in the Windows System directory. The copy has a hidden attribute and the * is a random number of random characters.

It then creates this registry entry so that it executes upon system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
Wink*, "wink*.exe"

* is any random number of random characters.

This worm also infects EXE files. To infect, it encrypts (compresses) the target file and then modifies the file extension with a random name. It also modifies the attributes of the file and sets these to Read-only, Hidden, System, and Archive. Thereafter, this worm copies itself to the original filename of the infected file.

This worm makes sure that its filesize is the same as that of the infected file. To do this, it pads garbage at the end of the infected file.

Similar to WORM_KLEZ.A, this new worm has several threads that accomplish its propagation and payload mechanisms. Its main features are as follows.

 

• Dropping of PE_ELKERN.D
  The worm drops a randomly named file in the ProgramFilesDir (usually C:\Program Files). Approximately 10KB in size, this program can infect files in network shared folders and disable system file protection. It can also infect EXPLORER.EXE in memory. This program is detected as PE_ELKERN.D. Oftentimes, it deletes itself after running.

   

  • Network Infection
    This worm is capable of spreading via shared drives/folders with read/write access. To accomplish this, it enumerates all the shared resources of the network. For shared folders with read/write access, it copies itself to files with randomly generated filenames. The dropped files have the following extensions:

    EXE .PIF COM

    BAT SCR RAR

    Occasionally, this worm copies itself to a random filename double extensions. The first extension name can be any of the following:

    EXE SCR PIF BAT TXT HTM HTML WAB DOC RTF

    XLS JPG CPP C PAS MPG MPEG BAK MP3 PDF

    The second extension can be any of the extension names first listed.

    It then constructs the HTML mail, which contains the base64 encoded worm copy. It randomly generates the filename of the attachment.

    It obtains its SMTP server from the registry as follows:

    HKEY_LOCAL_MACHINE\Software\Microsoft
    Internet Account Manager\Accounts\, SMTP Server

    It then sends out to the SMTP server commands to create and send an email. The actual subject and body of the email may be randomly composed.

    It does not require the email receiver to open the attachment for it to execute. It uses a known vulnerability in Internet Explorer-based email clients to execute the file attachment automatically. This is also known as Automatic Execution of Embedded MIME type.

    The infected email contains the executable attachment registered as content-type of audio/x-wav or sometimes audio/x-midi so that when recipients view the infected email, the default application associated with audio files is opened. This is usually the Windows Media Player. The embedded EXE file cannot be viewed in Microsoft Outlook.

    More information about this vulnerability is available at Microsoft’s Security Bulletin.

     

  • Antivirus Retaliation Procedure
    The worm disables the running processes, and occasionally deletes the executable files of programs associated with the following names of antivirus products:

    _AVP32 _AVPCC NOD32 NPSSVC NRESQ32 NSCHED32 NSCHEDNT NSPLUGIN NAV NAVAPSVC NAVAPW32 NAVLU32 NAVRUNR NAVW32 _AVPM ALERTSVC AMON AVP32 AVPCC AVPM N32SCANW NAVWNT ANTIVIR AVPUPD AVGCTRL AVWIN95

    SCAN32 VSHWIN32 F-STOPW F-PROT95 ACKWIN32 VETTRAY VET95 SWEEP95 PCCWIN98 IOMON98 AVPTC AVE32 AVCONSOL FP-WIN DVP95 F-AGNT95 CLAW95 NVC95 *SCAN* (any character can be in place of *) *VIRUS* (* is any character) LOCKDOWN2000 Norton Mcafee Antivir TASKMGR

    The worm also scans for the above strings, and deletes them if found as values in the following registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\
    Windows\CurrentVersion\Run

    Finally, the worm searches for and then deletes the following files:

    ANTI-VIR.DAT CHKLIST.DAT CHKLIST.MS CHKLIST.CPS CHKLIST.TAV

    IVB.NTZ SMARTCHK.MS SMARTCHK.CPS AVGQT.DAT AGUARD.DAT

     

  • Stealth Routine
    On Windows 98/95 systems, the worm registers itself as a service process to hide itself from the taskbar. On Windows 2000 systems, the worm creates a system service and registers it as a service control dispatcher. In this way the service control manager always calls the worm service upon Windows startup.

  Notes On Window NT 4.0 and Earlier Versions
  This worm does not perform its Antivirus Retaliation routine on machines running NT 4.0 or lower, due to an unavailability of system functions or APIs it uses to kill the antivirus-related processes.

  Although it does not execute on WinNT 4.0 and earlier versions, infection of machines with this operating system is still possible if the machine has shared folders. The dropped virus, PE_ELKERN.D infects files in shared drives. When this happens, a full infection of the system may ensue since PE_ELKERN.D executes on any Windows platform.

  It has been verified that the infection method of WORM_KLEZ.H (the main worm, not PE_ELKERN.D) is of companion type. When this worm infects an EXE file, it compresses the host file using RLE compression then renames its extension name into a random name. The basename, however, is retained. Its attribute is then set to Read-only, Hidden, System and Archive, afterwhich, the worm creates a copy of itself in that same directory taking the original filename and the icon of the original file. The worm also changes its filesize to be exactly the same as the host file, by padding garbage data at the end of the file. Example: If the worm has infected file.exe, then file.exe is replaced by the worm, with the same icon and size. file.xfp is the original host file which was compressed. Its attribute is set to hidden, read-only, system, and archive. It is located in the same directory as file.exe.

  The worm body contains the text strings:

  Win32 Klez V2.01 & Win32 Foroux V1.0
  Copyright 2002,made in Asia
  About Klez V2.01:
  1,Main mission is to release the new baby PE virus,Win32 Foroux
  2,No significant change.No bug fixed.No any payload.
  About Win32 Foroux (plz keep the name,thanx)
  1,Full compatible Win32 PE virus on Win9X/2K/NT/XP
  2,With very interesting feature.Check it!
  3,No any payload.No any optimization
  4,Not bug free,because of a hurry work.No more than three weeks from having such idea to accomplishing coding and testing

   

  Description created:	Apr. 17, 2002
  Description updated:	Apr. 25, 2002

1. Scan your system with Trend Micro antivirus and delete all files detected as WORM_KLEZ.H. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other email users may use HouseCall, Trend Micro's free online virus scanner.
2. Since this worm uses a vulnerability in HTTP-based email clients like Microsoft Outlook and Outlook Express, please apply the latest patches as follows: