About the virus alert do to a package built by GSfx Wizard

If you have any additional information regarding this virus, please contact us.

Contents:
1) Causes
2) How to identify the virus?
3) What to do?
4) Antivirus programs
5) Manual removal instructions

Latest update:
Tuesday July 17th 2003.

Computer virus being distributed through a package built by GSfx Wizard

2003 July:

We were informed about a virus that was packaged using our freeware tool GSfx Wizard. This virus seems to cause several different problems to Windows users whom computers are infected by this virus: until anti-virus software companies update their signatures, you can find how to remove it below.

Some user reports:

"GSfx archive C:\winnt\system32\sys data\sys folders\klsys.exe."

<< I am receiving a error on my computer with "GSfx Archive" in the title bar. The message reads "Error C:\WINNT\system32\sys data\sys folders\klsys.exe". The error occurs again and again, but initially upon start-up. >>

<< since the first day i have installed GSfx.all of a suddena file with exe format starts in dos mode.by which my network printer settings are stopped & i cant print & different file with exe start use memory which makes my pc slow.i tried to delete it also but when i restart it ,it again starts in dos mode & again i cant use my network printer & memory is used & it takes time to open any software.i even tried norton antivirus.still the same.im here by attaching the file plz help me.
Product name is GSfx Archive
Language Neutral
Company Name Tw1s3r Systems
Web Tw1s3r@.com >>

What can cause this error?

First a folder called "sys data\sys folders" is not an "official" folder in Windows, and we don't think that software engineers are going to store files in the System32 directory, as it is reserved for shared files.
So if you find such strange folder, this is certainly that your computer has been infected by a Virus.

This virus was packaged with our freeware Gsfx Wizard. GSfx is not a virus trojan itself, it works like WinZip Self-Extractor or WinRAR: it creates Self-Extracting archives for files distribution. You can get more info about GSfx at http://www.gdgsoft.com/gsfx and see for yourself that it is not a Virus maker. It was misused by the virus author.

GSfx Wizard is available freely for download at several shareware Web sites like
http://www.webattack.com/get/gsfxwiz.shtml

The malicious user created a virus that contains several component and files, and to distribute it over the Internet, he used GSfx to compress all of the virus files into a single executable file that he could distribute to his victims.

Thanks to an user who sent us the GSfx package file that contains the file, we could analyse it:

Size: 734368 bytes.

the PE executable file contains the following version information (you can access it using Windows Explorer: select the file, right click using the mouse button to access to the context menu and click on File Properties, then on the "Version" tab):

Description: "GSfx Archive - Cabinet Self-Extractor."
Copyright: "Copyright by Tw1s3r"
Comments: "Packaged with GSfx Wizard, http://www.gdgsoft.com" (so you can contact us in case of such problems).
Company: Tw1s3r Systems
ProductName: GSfx Archive
Web: Tw1s3r@.com

You can open the .exe file using 7-Zip, WinZip or WinRAR like any regular Self-Extracting (SFX) archive. The contents of the GSfx package file is:

We do not know what are the roles played by all of these files: what we only know is taken from the analyse of the GSfx package file.
The GSfx package file was programmed by the Virus author (using GSfx Wizard options) to:

1) extract all of its files to %SYSTEM%\sys data\sys folders (%SYSTEM% designates the Windows System folder, like C:\WINNT\system32\ or C:\Windows\System on W9X/WME).

It appears that the virus has variant forms so the sub-folder under %SYSTEM% may be different.
Nevertheless the functionality and way it infects computers remain the same.

<< This beastie swept through my networks and has caused quite a few machines to become infected.
The variant that I've got creates:

C:\WINNT\SYSTEM32\dfg ghj\loi gty
which contains this:

CLS.BAT
DATA.BAK
DEXE.CPL
FSLX.EXE
KLSYS.EXE
NEXE.CPL
PLUG.DLL
PSC32.EXE
SYSTL.EXE
TSYSL.BAT
WINSE.EXE

It's appears to be a more recent version of W32.Randon.worm (also see below)

http://vil.nai.com/vil/content/v_100097.htm

with quite a few "improvements" like a much larger dictionary and
it doesn't seem to be detected by several of the larger anti-virus
packages [...] >>

>> Rest of message available here.

2) run klsys.exe.

The klsys.exe seems to be the program that initializes the virus components.

According to Panda software, this is the main file of the worm. This file is an IRC client that runs hidden. It is used to spread via IRC, using NEXE.CPL as configuration file.

And the fact that the "error occurs again and again, but initially upon start-up" seems to indicate that the malicious user created a program (one of the files extracted by the GSfx package file or an external one?) that adds an entry to the Windows Registry: the latter makes Windows run the GSfx package file in order to certainly ensure the Virus horse is installed each time the user logs on.

What to do in order to eliminate this virus?

>>> Use an antivirus program:

Panda Antivirus Titanium/Platinum now recognizes and deletes this virus.

This virus is known under the name 'W32/Klys'. More information at:
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?lst=vis&idvirus=40019

Summary:

Brief Description

Klys is a worm that spreads via the chat program IRC and network shared drives. Klys is also a dropper virus, as it copies in the affected computer a file belonging to the worm Cult.

In addition to this, Klys behaves as a Trojan, as it opens IRC ports. A hacker could use these ports to gain remote access to the resources of the affected computer.

If the affected computer is part of a network, Klys unshares most shared resources, admin$ and print$ among others, so that the applications that need these resources will stop working.

Visible Symptoms

Klys is difficult to recognize, as it does not show any messages or warnings that can alert the user that it has reached the system.

>>> Technical details about removing this virus safely are available here.

If you have the following folders on your computer:

%System%\fdg dgf
%System%\fdg dgf\fsd dsf
or
%System%\sys files
%System%\sys files\data memory

then visit: http://it.trendmicro-europe.com/enterprise/security_info/ve_detail.php?VName=BKDR_FLOOD.CD

Or if you don't have one:

1) klsys.exe may be running on your computer.

Use the task manager (CTRL+ALT+DEL) to end "klsys.exe" contained in the "%SYSTEM%\sys data\sys folders" (or similar) folder.
Some users reported that folder: "c:\winnt\system32\sys files\data memory\" (maybe a variant of the virus??)
If your task manager refuses to open, delete all files in the "%SYSTEM%\sys data\sys folders" folder, except klsys.exe (Windows will refuse to remove a running program file). Wait some time and try to reopen the task manager. Then follow the same instructions.
Delete klsys.exe from the folder.

If you are unable to get rid of klsys.exe, then you need to exit Windows and log in the "safe mode", then you will be able to delete klsys.exe safely as Windows will not run it.

2) open REGEDIT (the tool that edits Windows registry keys). You will need to know how Windows registry works...

Do a search for the entry "klsys.exe", you may find several entries. Look especially in this key:

"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"

klsys.exe should be listed in such a key because Windows runs klsys.exe each time at startup.

Possible entries:
in "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\", some users found:
"aupdate" or "arnko" pointing to klsys.exe. But there are more entries normally.

>> Delete all entries pointing to klsys.exe as Windows may run this file. Some users reported these keys too:

"HKEY_CLASSES_ROOT\ChatFile\DefaultIcon" and "HKEY_CLASSES_ROOT\ChatFile\Shell\open\command" and "HKEY_CLASSES_ROOT\irc\DefaultIcon" and "HKEY_CLASSES_ROOT\irc\Shell\open\command" and "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon" and "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command" and "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\DefaultIcon" and "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\command" and
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" and

"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mIRC"
According to Panda software, this entry is used to show the uninstallation icon of Klys. However, if the user attempts to uninstall it, the worm runs itself.

Now the virus should not be run at Windows startup anymore but...

3) we need to identify the GSfx package file on your computer. This GSfx package file installs klsys.exe and certainly the virus will create a copy of it somewhere on your system. In fact, some users reported that the virus was back even after they deleted "klsys.exe".

Unfortunately the virus seems to copy the GSfx package file with a random filename. But it is always in three directories:

root directory (disk on which Windows is installed, like C:\ generally).
Windows System directory (for instance C:\WinNT\System32).
the temporary Internet files directory (cache of Internet Explorer).

See this screen shot sent by a user who found 'ran.exe':

We received reports telling about files named "ran.exe", "hulkz.exe" that would be stored in the three directories as told above. Otherwise you will need to do a search on your computer: look for ".exe" files having the size "734368 bytes". If you find additional filenames, please send us these names by e-mail so we can publish them here.

Note: the file rano.exe seems to be a worm called Cult and is part of the virus. More information available at:
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?idvirus=38962

>> Delete of all these .exe files if they contain the version information as stated above.

4) reboot your computer (if you was in safe mode, you can log in the normal mode).

IMPORTANT: unfortunately this will not clear or repair the possible damages caused by the Virus.

>> Possible damages due to the virus:

<< Our organization, [...], was hit very hard by the virus. It seems to be a variation of the Randon virus (see below), which among other things, scans port 445 and distributes itself through network shares, looking to exploit administrator profiles with simple passwords. While the primary user accounts have unique passwords, our administrative ones shared a common simple password, and thus opened our workstations to the exploit. The executable responsible for our situation seemed to be something named hulkz.exe. This was not only placed in the root C: drive of the workstations, but often in the winnt/system32 directory and other places as well. NT 4.0 systems seemed not to be affected. Only our Windows 2000 boxes were infected.

So to recap, here are the actions we took, in addition to the ones already listed on the web site:

Changed all administrative passwords - no common, easy, all unique. (This should be done as a best practice anyway, but it's the
one place we got caught cheating.)
Scanned workstations for hulkz.exe or hulkz.* for any cached files
Virus doesn't seem to affect NT 4.0 systems.
Since there's no virus definition available from the major anti-virus companies as of yet, we had to go around to each workstation and manually delete files and registry keys. We shut down access to the outside world, no internet or e-mail, and performed the process.

Conclusion

As soon as we get more information about this virus, we will publish them here.

Do not hesitate to use an antivirus solution on your computer. There are several commercial ones with daily signatures updates, but also some free ones: visit Webattack for some listings (both shareware and freeware).

Panda Antivirus Titanium/Platinum is able to detect the virus and delete it. It is named W32/Klys.
Information available at:
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?lst=det&idvirus=40019
A similar virus (klsys.exe) named BKDR_FLOOD.CD has been discovered by Trend Micro (PC-cillin).
More information and details about how to remove at http://it.trendmicro-europe.com/enterprise/security_info/ve_detail.php?VName=BKDR_FLOOD.CD
Norton SARC (Symantec) has been notified about this virus; see this link and look for "klsys.exe" topic.
http://servicenews.symantec.com/cgi-bin/browse.cgi?group=symantec.support.generic.virus_corporate.general&tpre=ent&
In the past it seems that a similar Trojan called W32/Randon was also packaged with GSfx Wizard and detected/cleared by anti-virus programs. More information at:
http://www.windowsitsecurity.com/Panda/Index.cfm?FuseAction=Virus&virusID=1371

We really regret that some malicious users like this virus author decide to use freeware programs to distribute their work.
We have neither any specific knowledge of how the Virus works nor do we know what it really does. We only know how it was packaged since the virus author used our product GSfx Wizard to share it.

If you know any additional information about this virus, or if your anti-virus is able to detect it, please contact us.

Click here to return to the index page.

Click here to return to the top of this page.

Counter