New Virus?

[AHunter3]

For three days straight my Eudora email trash folder has been stuffed with emails with attachments ending in .exe, .pif, .scr, .vbs, and the like.

::looks over fence to decisively not greener side::

You PC folks got another Outlook-borne virus making the rounds?

[RealityChuck]

There’s the Fizzer virus making the rounds. Seems pretty common right now.

[Q.E.D]

Bet it’s klez. I’ve been getting loads of that as well. Save one to your desktop (but DON’T double click it) and then scan with your antivirus scanner.

[AHunter3]

I don’t have an antivirus scanner (aside from Disinfectant) and doubleclicking on it wouldn’t do me any damage anyhow, but here’s one of the few coherent textlike strings I can find when I pry it open with a text editor:

[QUOTE]

@C

[AHunter3]

Interesting. vB must not like some of the upper-ASCII characters I copied and pasted! Let’s see…

A quick trip to the “Zap Gremlins” menu in BBEdit and the non-ASCII / control characters get replaced with •:

@C••••••(C••••••W•DeleteFileA•(•CopyFileA•••WinExec•••Sleep•••WaitForMultipleObjects••••OpenProcess•}•ExitProcess•••GetCommandLineA•••WaitForSingleObject•••CloseHandle•D•CreateProcessA••R•GetStdHandle••••ExpandEnvironmentStringsA•••GlobalFree••••WriteFile•4•CreateFileA•••GlobalAlloc•e•GetTempPathA••••FreeLibrary•••FreeResource••••GlobalUnlock••••LockResource••••LoadResource••••SizeofResource••••FindResourceA•••LoadLibraryA••&•GetModuleHandleA••>•GetProcAddress••KERNEL32.dll••••StrToIntA•SHLWAPI.dll•r•ShellExecuteA•SHELL32.dll•••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••’••• •••"•••%ComSpec%•••FILE••••RtlZeroMemory•••RtlMoveMemory•••kernel32.dll•••••••••

Can anyone tell from that whether it is Klez or Fizzer or none of the above? BTW, why is klez back at the plate? Isn’t klez kind of old news by now?

[Ethilrist]

RealityChuck got it in one.

Once a computer is infected, the virus will scan the victim’s address book and send out infected messages using different subjects, message texts and file attachment names.

Fizzer also installs a keylogging program to record every keystroke as well as open a way to access a victim’s computer over Internet Relay Chat, and the virus also regularly connects to a web page to try to download an updated version of itself.

[Q.E.D]

If you still have one, go ahead and email it to me. I’ll have my scanner ID it.

[AHunter3]

OK, check your inbox. I’ve renamed it, adding a .virus to the end of it, which should keep a PC from executing it, yes? (I don’t usually go around emailing live viruses to people, but you seem to know what you’re doing)

[Q.E.D]

Got it. McAfee VirusScan identified it as W32/Fizzer.gen@MM. this one I have seen yet. All the ones I keep getting are loaded with klez. I’ll add this one to my collection. Yes, I collect computer viruses. Yes, I know it’s weird. I don’t actually keep the virus file, I just add it’s name to a list of ones I’ve caught.

[Nanoda]

Q.E.D: You check your web server? I’m running Apache, and my log files are full of attepts from IIS worms to furthur their ickiness. That Code Red was the worst, man.

And Klez will keep making the rounds until people with Outlook realize that attachments aren’t always the kewlest thing.

[Q.E.D]

Lately it’s taken the form of bounced emails. Dozens of them a day, purportedly sent by me and returned undeliverable. Occassionally the server that bounces them has scanned for and detected the virus. I don’t know where they’re all coming from, but it’s not from MY computer. All the ones I’ve bothered to detach and scan (maybe 4 all told) have been klez.