There is a virus being sent by someone hacking into snowmobile sites and sending the Happy Allhallowmas virus with the user names from the snowmobile sites. I am unaware which site so I am posting it on all of them. I know it is coming from these sites because I recognize some of the names from different sled sites. Just wanted to let everyone know before it happens to them. My virus protection has caught it every time but I constantly am receiving e-mails with the virus daily!!

Are you sure it doesn't spread itself via peoples email address books?

That sucks ???

EVERYONE SHOULD HAVE AN ANTI-VIRUS PROGRAM ON THEIR PC!!

Cost of Antivirus software - $50

Cost of first year of Virus definition Updates - Free

Having to reload your PC because the Virus messed it so bad, while every one else is out on their new snow scooters

PRICELESS!!

Moral of the story, save yourself a headache and money in the long run, get AV Software!!!

:thumbsup: !!!

Myer's thanxs for the heads up, just did a norton update to be sure. Ya gotta hate SPOOFING , it tricks a lot of people as they think it is from someone they know so its OK. I wonder where it is coming from. :angry:

Originally posted by Myers Racing Inc@Oct 22 2002, 12:18 PM
There is a virus being sent by someone hacking into snowmobile sites and sending the Happy Allhallowmas virus with the user names from the snowmobile sites. I am unaware which site so I am posting it on all of them. I know it is coming from these sites because I recognize some of the names from different sled sites. Just wanted to let everyone know before it happens to them. My virus protection has caught it every time but I constantly am receiving e-mails with the virus daily!!
While a virus could possibly be spread through a web site (only if your web browser has severe vulnerabilities), I can say with certainty it is not coming from SW.

The worm you are talking about is well known now, called the Klez virus. It can affect nearly all Windows systems, but it can't infect a few other OS's including Linux, which is what runs this web site.

The worm does indeed include a mass mailing routine. More information is available below from SOPHOS (http://www.sophos.com/virusinfo/analyses/w32klezh.html) which were the first to spot the worm. Most commercial AV software now scans for this worm. Update your virus definitions frequently!:

W32/Klez-H
Type
Win32 worm

Description
W32/Klez-H is a Win32 worm that carries a compressed copy of the W32/ElKern-C virus which it drops into the Program Files directory and executes.

W32/Klez-H copies itself into the Windows system directory with a random filename. The filename begins with the characters "wink" and has the extension EXE.

The worm searches for email addresses in the Windows address book and also in files with the extensions TXT, HTM, HTML, WAB, ASP, DOC, RTF, XLS, JPG, CPP, C, PAS, MPG, MPEG, BAK, MP3 and PDF.

The email message "From:" field will contain either one of the addresses found in the search or an address taken from a list inside the virus body.

The worm sends itself using emails with the following characteristics:

Subject line:
The subject line is randomly created using one of the following rules.

1.
A combination of "Hi,", "Hello," "Re:", "Fw:", or nothing

with

"Very", "special", "Happy" or "Have a" as the first part of the sentence

and

"New", "funny", "nice", "humour", "excite", "good", "powful", "WinXP", "IE 6.0" or nothing as the second, arranged in one of the following sentences:

"A %s %s game."
"A %s %s tool."
"A %s %s website."
"A %s %s patch."
"%s %s Allhallowmas"

e.g. "A special powful tool" or "Happy Allhallowmas"

2.
A combination of "W32.Elkern" or "W32.Klez.E" and "removal tools".

e.g. "W32.Klez.E removal tools"

3.
One chosen from the following list:

how are you
let's be friends
darling
so cool a flash,enjoy it
your password
honey
some questions
please try again
welcome to my hometown
the Garden of Eden
introduction on ADSL
meeting notice
questionnaire
congratulations
Sos!
japanese girl VS playboy
look,my beautiful girl friend
eager to see you
spice girls' vocal concert
japanese lass' sexy pictures
Undeliverable mail --
Returned mail --

4.
Worm Klez.E immunity

Message text:
The message text is randomly composed by the worm, and may be left blank.

If the subject line is "Worm Klez.E immunity", then the message text is
"Klez.E is the most common world-wide spreading worm. It's very dangerous by corrupting your files. Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it. We developed this free immunity tool to defeat the malicious virus. You only need to run this tool once,and then Klez will never come into your PC. NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV monitor maybe cry when you run it. If so,Ignore the warning,and select 'continue'. If you have any question,please mail to me."

Attached file:
Randomly named with the extension PIF, SCR, EXE or BAT.

Because the worm uses its own SMTP engine, the message may appear to come from any email address. Some of the messages will have a "From:" field and message text which imply that the message was sent by a major anti-virus vendor (namely Kaspersky, F-Secure, Sophos, Symantec and Trend Micro).

The SMTP server used to send the messages is taken from the value "SMTP Server" of the registry key

HKCU\Software\Microsoft\Internet Account\Manager\Accounts

When sending email, W32/Klez-H may attach a randomly chosen file from the infected computer with the extension TXT, HTM, HTML, WAB, ASP, DOC, RTF, XLS, JPG, CPP, C, PAS, MPG, MPEG, BAK, MP3, or PDF. This means that the worm may cause the disclosure of confidential company data.

W32/Klez-H attempts to disable several anti-virus software products and to delete some anti-virus related files.

The worm attempts to exploit a MIME and an IFRAME vulnerability in some versions of Microsoft Outlook, Microsoft Outlook Express, and Internet Explorer to allow the executable file to run automatically without the user double-clicking on the attachment. Microsoft has issued a patch which secures against this vulnerability which can be downloaded from Microsoft Security Bulletin MS01-027. (This patch was released to fix a number of vulnerabilities in Microsoft's software, including the one exploited by this worm.)

W32/Klez-H may also spread to remote shares on other machines using random filenames. The dropped files may have a double extension formed by using a combination of extensions randomly taken from the two lists. The first extension is taken from the following list:

TXT
HTM
HTML
WAB
ASP
DOC
RTF
XLS
JPG
CPP
C
PAS
MPG
MPEG
BAK
MP3
PDF

The second extension is taken from:

PIF
SCR
EXE
BAT

For example, the double extension may be .txt.exe.

W32/Klez-H will add a value "wink<random>" to registry run command, so that the dropped file will run on Windows startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run \

Additionally the worm will attempt to disable anti-virus software by stopping any of the following processes,

_AVP32
_AVPCC
NOD32
NPSSVC
NRESQ32
NSCHED32
NSCHEDNT
NSPLUGIN
NAV
NAVAPSVC
NAVAPW32
NAVLU32
NAVRUNR
NAVW32
_AVPM
ALERTSVC
AMON
AVP32
AVPCC
AVPM
N32SCANW
NAVWNT
ANTIVIR
AVPUPD
AVGCTRL
AVWIN95
SCAN32
VSHWIN32
F-STOPW
F-PROT95
ACKWIN32
VETTRAY
VET95
SWEEP95
PCCWIN98
IOMON98
AVPTC
AVE32
AVCONSOL
FP-WIN
DVP95
F-AGNT95
CLAW95
NVC95
SCAN
VIRUS
LOCKDOWN2000
Norton
Mcafee
Antivir
TASKMGR

and deleting the files

ANTI-VIR.DAT
CHKLIST.DAT
CHKLIST.MS
CHKLIST.CPS
CHKLIST.TAV
IVB.NTZ
SMART CHK.MS
SMARTCHK.CPS
AVGQT.DAT
AGUARD.DAT

corey-WOW!&#33;!! :hallo1:

I just posted it on the sites because I recognized some of the user names from the sites I visit. Have heard from several other people having the same deal. I haven&#39;t had a problem but when I got back in town I received about 5 more of these e-mails and 2 more this morning so I thought I would get the word out for those who didn&#39;t know. I don&#39;t know where it is coming from but wanted to make sure everyone was aware. Corey, I posted this on other sites besides here.

ya thnx for informing me. havent recieved anything yet. I prob should get an anti-virus program.

Your Best Anit-virus is your self. Don&#39;t open un-wanted emails, now where you download stuff from, and Save anything important to disk just in case. Been working for me the year and half.

Most any contacted viruses are to new to be caught by the anti-virus software anyway that is installed on most computers...if you do catch something there is usually a free fix within a half a day, anti-virus software are the number 1 thing that slows comptuers down...don&#39;t fall into that anti-virus software trap!

Wow Corey your really on top of things ...thanks for the information . I am well protected by Norton, money well spent. As for the virus Myers Racing was talking about I believe it is coming from another snowmobile site ( sorry can&#39;t mention the name ) They have had this problem all summer . I removed my email address from any postings on that site and have never got the virus from there since . Definatly a problem and it&#39;s good to have the heads up but I don&#39;t think it&#39;s coming from here and with the information Corey posted I feel well asured that it isn&#39;t.
Now if we could find cure for spam email ....life would be great

Thanks for the info

Yes I have received that email also. The message was sent by a Dave "Happy Allhallowmas" I did not open it as I just blocked the sender and deleted the message. Lucky me thanks Myers Racing Inc. :cussing: hackers

I don&#39;t understand how they haven&#39;t caught the people doing the klez yet!&#33;!!1 it&#39;s been around for so long now.
Caleb