The technical name for krn132.2x2 is Klez Trojan.
Klez Trojan is a trojan spread by mostly email, that in lots of cases, has actually removed all files on the infected computer
When [ W32.Klez.A | at | mm ] is executed, it does the following:
It copies itself to
%System%\Krnl132.exe
NOTE: %System% is a variable. The worm locates the \Windows\System folder (by default this is C:\Windows\System or C:\Winnt\System32) and copies itself to that location.
It adds the value
krn132 %System%\krn132.exe
to the registry key
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
so that it is executed when you start Windows.
The worm attempts to disable on-access virus scanners and searches local, mapped, and network drives. The worm copies itself using a random file name with a variable double extension, such as Filename.txt.exe.
In addition, the worm searches the Windows address book, which is used by Microsoft Outlook, for email addresses. The worm sends an email message to these addresses with itself as an attachment.
The email message has the following characteristics:
Subject: The subject of the email varies. It will usually be one of the following:
How are you?
Can you help me?
We want peace
Where will you go?
Congratulations!!!
Don't cry
Look at the pretty
Some advice on your shortcoming
Free XXX Pictures
A free hot porn site
Why don't you reply to me?
How about have dinner with me together?
Never kiss a stranger
Attachment: The attachment has a random file name with the .exe extension.
Message:
I'm sorry to do so,but it's helpless to say sorry.
I want a good job,I must support my parents.
Now you have seen my technical capabilities.
How much my year-salary now? NO more than $5,500.
What do you think of this fact?
Don't call my names,I have no hostility.
Can you help me?
This message may not be visible (this depends on the ability of the email client to display HTML email messages). If the message is received by Microsoft Outlook or Outlook Express, the attachment may be automatically executed. Information about this vulnerability and a patch are available at
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
Every other month starting in January (January, March, May, and so on), if the date is the 13th of the month, the payload is executed. This causes files on local and mapped drives to become zero bytes in length.
Removal
- (Only needed if you are not successfull in the normal mode) Restart in safe mode (Tip: As soon as you restart the computer press F8 before the windows screen appears. Select Safe mode)
- Search for the file krn132.exe and delete it.
- Delete the cookie named xww
- Delete the following registry values
- Go to your registry (start-->run-->enter regedit-->press OK)
- Search for krn132 (press ctrl+F and enter krn132)
- Delete where ever you find it.
Points to ponder
Is it really worth your time and money (you could lose all your money in the bank if your password is compromised) to be worrying about these things?
It is always better to have a software that can protect your computer and you. Spywares are more dangerous than viruses, coz of the simple reason that they steal your information. Your banking account password is much more worthy to them than your computer. And thats what most of them are after.
No comments :
Post a Comment
Comment on this Post!!