I-Worm.Klez.a-h (Klez Family)
This is a worm-virus that spreads via the Internet attached to infected e-mails. The worm itself is a Windows PE EXE file about 57-65Kb (depending on its version) in length, and it is written in Microsoft Visual C++.
Infected messages have variable subjects and attachment names (see below).
The worm uses an Internet Explorer security breach (IFRAME vulnerability) to start
automatically when an infected message is viewed.
In addition to spreading in the local network and in e-mail messages, the worm also
creates a Windows EXE file with a random name starting with "K" (i.e.,
KB180.exe), in a temporary folder, writes the "Win32.Klez" virus in it, and
launches the virus. The virus infects the majority of Win32 PE EXE files on all
available computer disks.
Start-up
When an infected file is started, the worm copies itself to a Windows system
folder with the krn132.exe name. Then it writes to registry the following key
to start automatically with Windows:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Krn132 = %System%\Krn132.exe
where %System% is the name of the Windows system folder.
Then the virus searches for active applications (anti-viruses, see the list
below) and forces them to unload using a Windows "TerminateProcess" command:
_AVP32, _AVPCC, _AVPM, ALERTSVC, AMON, AVP32, AVPCC, AVPM, N32SCANW, NAVAPSVC,
NAVAPW32, NAVLU32, NAVRUNR, NAVW32, NAVWNT, NOD32, NPSSVC, NRESQ32, NSCHED32,
NSCHEDNT, NSPLUGIN, SCAN, SMSS
Replication: e-mail
The worm uses SMTP protocol to send e-mail messages. It finds e-mail
addresses in a WAB database and sends infected messages to these addresses.
The subject of the infected message is selected randomly from the following list:
Hello
How are you?
Can you help me?
We want peace
Where will you go?
Congratulations!!!
Don't cry
Look at the pretty
Some advice on your shortcoming
Free XXX Pictures
A free hot porn site
Why don't you reply to me?
How about have dinner with me together?
Never kiss a stranger
The message body is the following:
I'm sorry to do so,but it's helpless to say sory.
I want a good job,I must support my parents.
Now you have seen my technical capabilities.
How much my year-salary now? NO more than $5,500.
What do you think of this fact?
Don't call my names,I have no hostility.
Can you help me?
This is virus-worm virus that spreads via the Internet attached to infected e-mails. The worm itself is a Windows PE EXE file about 57-65Kb (depending on its version) in length, and it is written in Microsoft Visual C++.
Infected messages have variable subjects and attachment names (see below).
The worm uses an Internet Explorer security breach (IFRAME vulnerability) to start
automatically when an infected message is viewed.
In addition to spreading in the local network and in e-mail messages, the worm also
creates a Windows EXE file with a random name starting with "K" (i.e.,
KB180.exe), in a temporary folder, writes the "Win32.Klez" virus in it, and
launches the virus. The virus infects the majority of Win32 PE EXE files on all
available computer disks.
Start-up
When an infected file is started, the worm copies itself to a Windows system
folder with the krn132.exe name. Then it writes to registry the following key
to start automatically with Windows:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Krn132 = %System%\Krn132.exe
where %System% is the name of the Windows system folder.
Then the virus searches for active applications (anti-viruses, see the list
below) and forces them to unload using a Windows "TerminateProcess" command:
_AVP32, _AVPCC, _AVPM, ALERTSVC, AMON, AVP32, AVPCC, AVPM, N32SCANW, NAVAPSVC,
NAVAPW32, NAVLU32, NAVRUNR, NAVW32, NAVWNT, NOD32, NPSSVC, NRESQ32, NSCHED32,
NSCHEDNT, NSPLUGIN, SCAN, SMSS
Replication: e-mail
The worm uses SMTP protocol to send e-mail messages. It finds e-mail
addresses in a WAB database and sends infected messages to these addresses.
The subject of the infected message is selected randomly from the following list:
Hello
How are you?
Can you help me?
We want peace
Where will you go?
Congratulations!!!
Don't cry
Look at the pretty
Some advice on your shortcoming
Free XXX Pictures
A free hot porn site
Why don't you reply to me?
How about have dinner with me together?
Never kiss a stranger
The message body is the following:
I'm sorry to do so,but it's helpless to say sory.
I want a good job,I must support my parents.
Now you have seen my technical capabilities.
How much my year-salary now? NO more than $5,500.
What do you think of this fact?
Don't call my names,I have no hostility.
Can you help me?
Attached file: Win32 PE EXE file with random name, which has either an ".exe"
extension or a double extension:
name.ext.exe
The worm selects the filename (name.ext) using an original routine. It scans
all available drives and finds there files with the following file-name extensions:
.txt .htm .doc .jpg .bmp .xls .cpp .html .mpg .mpeg
It uses one of the found filenames (name.ext) as the base name of an attachment,
then it adds a second extension, ".exe". For example, "Ylhq.htm.exe",
"If.xls.exe", etc.
The worm inserts its own "From:" field into infected messages. Depending
on the random counter, it inserts there either a real e-mail address, or a
fake randomly generated address.
An interesting feature of the worm is that before sending infected messages,
the worm writes the list of found e-mail addresses in its EXE file.
All strings in the worm's body (messages and addresses) are stored in
an encrypted state.
Replication: local and network drives
The worm enumerates all local drives and network resources with written
access and makes there its copy with a random name name.ext.exe (the name-generation routine is similar to one which is used to generate attachment
names). After copying itself to network resources, the worm registers its
copies on remote computers as system service applications.
Payload
On the 13th of even months, the worm executes a payload routine, which
fills all files on all available victim s'computer disks with random
content. These files can't be recovered and must be restored from a
backup copy.
Other versions
There are several modifications of this worm. I-Worm.Klez.a-d are similar, and have minor differences.
Klez.e-h are similar too, and have minor differences as well. See more info about "Klez.h" below.
Klez.e
Installation
The worm copies itself to the Windows system directory with a random name that
starts from "Wink", i.e., "Winkad.exe".
Infection
The worm searches several registry keys for links to applications:
Software\Microsoft\Windows\CurrentVersion\App Paths
Then the worm tries to infect EXE applications that it finds. When infecting
an EXE, the worm creates a file with the same name and random extension
and also hidden+system+readonly attributes. This file is used by the worm to
run the original infected program. When the infected file is run, the worm extracts
the original file to a temp file with the original filename plus 'MP8' and runs it.
The worm infects RAR archives by copying itself to archives with a randomly generated
name. The name of the infected file is selected from the following list:
setup
install
demo
snoopy
picacu
kitty
play
rock
and has either one or two extensions, where the last one is ".exe", ".scr",
".pif" or ".bat".
Replication: e-mail
The subject of the infected message is either selected from the following list
or is generated randomly:
Hi,
Hello,
Re:
Fw:
how are you
let's be friends
darling
don't drink too much
your password
honey
some questions
please try again
welcome to my hometown
the Garden of Eden
introduction on ADSL
meeting notice
questionnaire
congratulations
sos!
japanese girl VS playboy
look,my beautiful girl friend
eager to see you
spice girls' vocal concert
Japanese lass' sexy pictures
The worm can also generate the subject of the message from the following
strings:
Undeliverable mail--%%
Returned mail--%%
a %% %% game
a %% %% tool
a %% %% website
a %% %% patch
%% removal tools
Where %% is selected from the following list:
new
funny
nice
humour
excite
good
powful
WinXP
IE 6.0
W32.Elkern
W32.Klez
The body of the infected messages is either blank, or has randomly generated contents.
The worm constructs the following variants for Subject and Message body:
Subject: A %1 %2
Body: This is a %1 %2 %3 or %4
where %1, %2 and %3 are randomly (depending on content) selected from
variants:
%1 %2
special WinXP game
new IE 6.0 website
funny W32.Elkern tool
nice W32.Klez patch
humour W32.Klez.E removal tools
excite
good
powful
%3 are lines:
This game is my first work.
You're the first player.
I wish you would enjoy it.
I hope you would enjoy it.
I expect you would enjoy it.
%4 contains strings such as these:
%5 give you the %1 removal tools
%1 is a dangerous virus that spread through email.
%1 is a very dangerous virus that can infect on Win98/Me/2000/XP.
For more information,please visit http://www.%5.com
where %5 is selected from the variants:
Symantec, Mcafee, F-Secure, Sophos, Trendmicro, Kaspersky
The result may look as follows:
A special new game
This is a new game
This game is my first work.
You're the first player.
I wish you would enjoy it.
A very funny website
This is a funny website
I hope you would enjoy it.
A very powful tool
Hello,This is a powful tool
I hope you would enjoy it.
A IE 6.0 patch
Hello,This is a IE 6.0 patch
I hope you would enjoy it.
W32.Elkern removal tools
Kaspersky give you the very W32.Elkern removal tools
W32.Elkern is a very dangerous virus that can infect on Win98/Me/2000/XP.
For more information,please visit http://www.Kaspersky.com
W32.Klez.E removal tools
W32.Klez.E is a dangerous virus that spread through email.
Kaspersky give you the W32.Klez.E removal tools
For more information,please visit http://www.Kaspersky.com
Attached file: a Win32 PE EXE file with a random name, which has either an ".exe"
extension or a double extension.
The worm uses an IFrame security breach to launch automatically when an
infected message is viewed.
Payload
On the 6th of odd months, the worm executes a payload routine that fills all available files on a victim's computer in local and network disks
with random content. These files can't be recovered and must be restored from a
backup copy.
Other
Klez.e randomly and depending on different conditions attaches randomly selected files from the local disk to emails. Therefore the email message has two attached files: 1. a copy of the worm and 2. an additional file.
The worm looks for following file extensions for attachments:
.txt .htm .html .wab .doc .xls .jpg .cpp .c .pas .mpg .mpeg .bak .mp3
As a result, the worm is able to send personal or confidential information from the computer, disclosing it.
The worm scans for the active processes that contain the following strings,
and terminates them:
Sircam
Nimda
CodeRed
WQKMM3878
GRIEF3878
Fun Loving Criminal
Norton
Mcafee
Antivir
Avconsol
F-STOPW
F-Secure
Sophos
virus
AVP Monitor
AVP Updates
InoculateIT
PC-cillin
Symantec
Trend Micro
F-PROT
NOD32
Klez.h
The Klez.h variant of the Klez worm family is very similar to Klez.e. The differences are:
- This variant has no payload and doesn't destroy files.
- It brings with it additional variants of infected Messages, Subjects and Bodies.
Example of a Klez.h email message Subject and Body content:
Worm Klez.E immunity
Klez.E is the most common world-wide spreading worm.It's very dangerous by corrupting your files.
Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it.
We developed this free immunity tool to defeat the malicious virus.
You only need to run this tool once,and then Klez will never come into your PC.
NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV monitor maybe cry when you run it.
If so,Ignore the warning,and select 'continue'.
If you have any question,please mail to me.
This worm looks for files with the following extensions:
.txt .htm .html .wab .asp .doc .rtf .xls .jpg .cpp .c .pas .mpg .mpeg .bak .mp3 .pdf
Depending on several conditions Klez.h attaches a file with one of the above listed extensions to infected emails (as the second attached file). As a result, confidential or personal information may be sent out and made public.
Another example of Klez.h email message content:
Win32 Klez V2.01 & Win32 Foroux V1.0
Copyright 2002,made in Asia
About Klez V2.01:
1,Main mission is to release the new baby PE virus,Win32 Foroux
2,No significant change.No bug fixed.No any payload.
About Win32 Foroux (plz keep the name,thanx)
1,Full compatible Win32 PE virus on Win9X/2K/NT/XP
2,With very interesting feature.Check it!
3,No any payload.No any optimization
4,Not bug free,because of a hurry work.No more than three weeks from having such idea to accomplishing coding and testing
How do I delete the Klez virus?
1) disconnect the infected PC from the local network (if exists)
2) run clrav.com file
If the program says "nothing to clean" - run it from the command line with the paramrter /scanfiles, for example:
C:\clrav.com /scanfiles
3) re-boot your PC in Safe Mode
4) run clrav.com again
5) reinstall the anti-virus package and update the anti-virus database
6) run Kaspersky AV Scanner and check all the hard drives
Page Top
|