new virus

[ Follow Ups ] [ Post Followup ] [ Message Board ] [ FAQ ]

Posted by Patrish (208.32.6.133) on July 05, 2003 at 16:03:33:

I just got this notification from my anti-virus software company:

2. Mass-mailing Worm - WORM_KLEXE.A (Low Risk)
WORM_KLEXE.A is a mass-mailing worm that propagates via email. It uses Microsoft Outlook to send a link to its file, to all recipients in the infected user's Microsoft Outlook address book.

Upon execution of the main file (ECMSETUP1.EXE), it drops a copy of its keylogger component (KL.EXE) as the file "Windows Explorer.exe" in any of the following Windows startup folder:

C:\Windows\Startm~1\Programs\Startup
D:\Windows\Startm~1\Programs\Startup
E:\Windows\Startm~1\Programs\startup
F:\Windows\Startm~1\Programs\startup

This allows the keylogger component to execute at every Windows startup.

To propagate, this worm uses Microsoft Outlook to send email to all recipients found in the Microsoft Outlook address book. It sends email with the following:

Subject: Re:

Message body:
You received this email because you where sent a 'pass this on e-messenger card' through one of our valued partners. If you believe you received this message in error or would no longer like to receive e-mail from us click here http://www.geocities.com/ecardsenger/us.htm

To download your card click on the link below:

http://www.geocities.com/ecardsenger/ecmsetup1.zip

P.S. If you received this message but do not know the sender or wish to unsubscribe or if you have any questions, please mail to services@emmsconline.com

The email has no attachment, but contains a link that points to a zipped copy of the worm (ECMSETUP1.ZIP). The ZIP file contains the following files:

ECMSETUP1.EXE (main worm)
KL.EXE (keylogger component)

After executing its mass-mailing routine, the worm gathers the following information:

Hostname
IP address
Current date and time
List of recipients to where the worm had successfully sent an email

It then sends the gathered information to the email address cardvict@rediffmail.com.

This worm's keylogger component stays active in memory to log user keystrokes. It is controlled by a timer, which determines when it sends the logged information to the email address cardmessenger@rediffmail.com. After executing its mass-mailing routine, it displays a message box.

If you would like to scan your computer for WORM_KLEXE.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com

WORM_KLEXE.A is detected and cleaned by Trend Micro pattern file #580 and above.

Follow Ups:

Post a Followup

Name:
E-Mail:

Subject:

Comments:
: I just got this notification from my anti-virus software company: : : 2. Mass-mailing Worm - WORM_KLEXE.A (Low Risk) : WORM_KLEXE.A is a mass-mailing worm that propagates via email. It uses Microsoft Outlook to send a link to its file, to all recipients in the infected user's Microsoft Outlook address book. : Upon execution of the main file (ECMSETUP1.EXE), it drops a copy of its keylogger component (KL.EXE) as the file "Windows Explorer.exe" in any of the following Windows startup folder: : C:\Windows\Startm~1\Programs\Startup : D:\Windows\Startm~1\Programs\Startup : E:\Windows\Startm~1\Programs\startup : F:\Windows\Startm~1\Programs\startup : This allows the keylogger component to execute at every Windows startup. : To propagate, this worm uses Microsoft Outlook to send email to all recipients found in the Microsoft Outlook address book. It sends email with the following: : Subject: Re: : Message body: : You received this email because you where sent a 'pass this on e-messenger card' through one of our valued partners. If you believe you received this message in error or would no longer like to receive e-mail from us click here http://www.geocities.com/ecard<blocked>senger/us.htm : To download your card click on the link below: : http://www.geocities.com/ecard<blocked>senger/ecmsetup1.zip : P.S. If you received this message but do not know the sender or wish to unsubscribe or if you have any questions, please mail to services@emmsconline.com : The email has no attachment, but contains a link that points to a zipped copy of the worm (ECMSETUP1.ZIP). The ZIP file contains the following files: : ECMSETUP1.EXE (main worm) : KL.EXE (keylogger component) : After executing its mass-mailing routine, the worm gathers the following information: : Hostname : IP address : Current date and time : List of recipients to where the worm had successfully sent an email : It then sends the gathered information to the email address cardvict@rediffmail.com. : This worm's keylogger component stays active in memory to log user keystrokes. It is controlled by a timer, which determines when it sends the logged information to the email address cardmessenger@rediffmail.com. After executing its mass-mailing routine, it displays a message box. : If you would like to scan your computer for WORM_KLEXE.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com : WORM_KLEXE.A is detected and cleaned by Trend Micro pattern file #580 and above.

Optional Link URL:
Link Title:
Optional Image URL:

[ Follow Ups ] [ Post Followup ] [ Message Board ] [ FAQ ]