This is a special alert from The Funny/Alerts Newsletter. Today we received an onslaught of email infected by the Klez virus and it's variants. They were from all over the net and all of them had one thing in common... an attachment. The various attachments had names such as Rock.exe, Compaq.exe, Play.exe, Nummer.bat, 05613.exe, and GKFU.bat.

Several of them also included a message, such as:

This is a special new game
This game is my first work.
You're the first player.
I expect you would like it. 


This is a special good tool
I hope you would enjoy it. 

Make sure that your anti-virus product is up to date and configured to scan incoming email. Klez can fill your Outbox in an instant and clog up your connection with email to your friends and family that you didn't send. The problem is... your friends and family don't know that.

If you DON'T have anti-virus software there's still hope. Log on to the internet (do NOT open your email program), goto Trend Micro's HouseCall site and avail yourself of their online scanner. You may have to D/L the browser Plug-In, but it's small and definitely worth the trouble.
Most anti-virus manufacturers have a Klez removal tool available for free download. Also, once your clean, don't forget about the free AVG Anti-Virus software from Grisoft.

Worm Klez

W32/Klez-G, I-Worm.Klez.h, I-Worm.W32/ Klez.gen@MM, W32.Klez.H@mm

This memory-resident variant of the WORM_KLEZ.A mass-mailing worm uses SMTP to propagate via email. The subject line of the email it arrives with is randomly selected from a list of possible choices. 

Upon execution, it drops files and creates an entry in the AutoRun key of the system registry and then infects EXE files. It encrypts (compresses) its target files and then modifies the file extension of these with a random name. It also sets the attributes of its encrypted files to Read- only, Hidden, System, and Archive. Thereafter, this worm copies itself to the original filename of the infected file. 

This worm makes sure that its file size is the same as that of the infected file. To do this, it pads garbage data at the end of the infected file. It does not perform its Antivirus Retaliation routine on machines running Windows NT 4.0 or lower. Windows NT 4.0 or lower do not have system functions or the Application Program Interface (API) that this worm uses to kill antivirus-related processes. 

What our lawyers make us say:


Disclaimer of warranties and limitation of liability This information is provided on an "AS IS" and "AS AVAILABLE" basis. We make no representations or warranties of any kind, express or implied, as to the information, content, materials, or products included, or mentioned within this information bulletin. You expressly agree that your use of this information is at your sole risk. The user assumes the entire risk as to the accuracy and the use of this document.

To the full extent permissible by applicable law, we disclaim all warranties, express or implied, including, but not limited to, implied warranties of merchantability and fitness for a particular purpose and freedom from infringement. We do not warrant that this information is accurate. We also will not be liable for any damages of any kind arising from the use of this information, including, but not limited to direct, indirect, incidental, punitive, and consequential damages.

Certain state laws do not allow limitations on implied warranties or the exclusion or limitation of certain damages. If these laws apply to you, some or all of the above disclaimers, exclusions, or limitations may not apply to you, and you might have additional rights.

[Copyrights and Trademarks] "FunnyAlert", "The Peer Group", and "The Peer Group, Unltd" are trademarks of The Peer Group, Unlimited. All other trademarks, trade name and product names are property of their respective owners. Copyright 1999, 2000, 2001, 2002 The Peer Group, Unltd. All rights reserved.