KLEZ Virus

Phil Mattison plug-discuss@lists.plug.phoenix.az.us
Fri, 18 Oct 2002 10:17:23 -0700 

Evidently there is a relatively new variant of the KLEZ virus going around,
mainly affecting Windows users. As part of a marketing effort we have asked
people to send us JPEG photos via email, which makes us particularly
vulnerable, as KLEZ always comes as an attachment. Linux/UNIX seems to be
immune to it, but we still need to run Windows for some things, and I think
I have a fairly simple fix. I read some of the online research available,
and it is consistent with what I found on the infected machine. KLEZ comes
as an attachment that may masquerade as a different mime-type than it
actually is, but uses an IFRAME tag to install itself in
WINDOWS/SYSTEM/wink*.exe. It also makes and entry in the registry to start
up at boot. If you delete the registry entry it is immediately restored by
the virus. You cannot kill the running process because Windows thinks it is
protected. What I had to do was reboot the machine from an emergency boot
floppy, remove the system protections from the virus file using a DOS
command (attrib -s -r -h wink*.exe) and then delete it. The file is always
named wink*.exe, where * is 3 or 4 random letters. Then I could reboot
normally and remove the registry entry. The infection may recur because the
virus searches for other exe files and infects them as well, so running an
infected program will reinstall the virus, but this at least will kill the
current version, and if you catch it early, may remove it. Unfortunately it
also attacks shared drives. The only sure cure is to reformat the drive(s)
and reinstall the OS.

If you use Outlook Express I think you can block the virus by creating a
"message rule" to delete any incoming massages that have an IFRAME tag in
the body.

I am pretty disgusted that Microsoft would leave such a gaping security hole
in their system. I'm guessing they did this so they could install "updates"
without "bothering" the user for permission. Its like being asked to
house-sit and then leaving all the doors unlocked so you don't have to
bother with the key. But then those obsessed with world domination always
tend to forget about all "the little people" who made them successful. I
have to wonder what motivates such arrogance. Maybe there is something to
the fact that Microsoft is synonymous with both "small" and "flaccid."

There are still a few things that prevent me from switching exclusively to
Linux. One is that the on-screen font rendering is not as good. Maybe there
are licensing issues that prevent this, but in my opinion the page rendering
in Nestcape or Mozilla, for example, is ugly, and most other apps are not
much easier to read. Another is the constant firehose of "updates." Most
people want to use their OS, not tinker with it. These days an OS is more
like an appliance than a hobby. Until the open-source community gets that
through their heads, Linux will never be a serious contender for the
consumer desktop.

Enough pontificating already; I'm off my soap-box.
--
Phil Mattison
Ohmikron Corp.
480-722-9595
602-820-9452 Mobile