Virus:Worm/Klez.E
Date discovered:19/04/2002
Type:Worm
In the wild:Yes
Reported Infections:Medium
Distribution Potential:Medium to high
Damage Potential:Medium
Static file:No
File size:~80.000 Bytes

 General Methods of propagation:
   • Email
   • Local network


Aliases:
   •  Symantec: W32/Klez.H@MM
   •  Mcafee: W32/Klez.h@MM
   •  Kaspersky: Email-Worm.Win32.Klez.h
   •  TrendMicro: WORM_KLEZ.H
   •  F-Secure: Win32.Klez.H@mm
   •  Sophos: W32/Klez-H
   •  Panda: W32/Klez.I
   •  Grisoft: I-Worm/Klez.H
   •  Eset: Win32/Klez.J
   •  Bitdefender: Win32.Klez.H@mm


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Disable security applications
   • Drops a malicious file
   • Uses its own Email engine
   • Lowers security settings
   • Makes use of software vulnerability
   • Steals information

 Files It copies itself to the following locations:
   • %SYSDIR%\wink%three-digit random character string%.exe
   • %TEMPDIR%\%random character string%%hex number%.exe



It deletes the following files:
   • ANTI-VIR.DAT
   • CHKLIST.DAT
   • CHKLIST.MS
   • CHKLIST.CPS
   • CHKLIST.TAV
   • IVB.NTZ
   • SMARTCHK.MS
   • SMARTCHK.CPS
   • AVGQT.DAT
   • AGUARD.DAT
   • Shlwapi.dll
   • Kernel32.dll
   • netapi32.dll
   • sfc.dll



It deletes files that contain one of the following substring:
   • _AVP32
   • _AVPCC
   • NOD32
   • NPSSVC
   • NRESQ32
   • NSCHED32
   • NSCHEDNT
   • NSPLUGIN
   • NAV
   • NAVAPSVC
   • NAVAPW32
   • NAVLU32
   • NAVRUNR
   • NAVW32
   • _AVPM
   • ALERTSVC
   • AMON
   • AVP32
   • AVPCC
   • AVPM
   • N32SCANW
   • NAVWNT
   • ANTIVIR
   • AVPUPD
   • AVGCTRL
   • AVWIN95
   • SCAN32
   • VSHWIN32
   • F-STOPW
   • F-PROT95
   • ACKWIN32
   • VETTRAY
   • VET95
   • SWEEP95
   • PCCWIN98
   • IOMON98
   • AVPTC
   • AVE32
   • AVCONSOL
   • FP-WIN
   • DVP95
   • F-AGNT95
   • CLAW95
   • NVC95
   • SCAN
   • VIRUS
   • LOCKDOWN2000
   • Norton
   • Mcafee
   • Antivir
   • TASKMGR
   • Sircam
   • Nimda
   • CodeRed
   • WQKMM3878
   • GRIEF3878
   • Fun Loving Criminal
   • Norton
   • Mcafee
   • Antivir
   • Avconsol
   • F-STOPW
   • F-Secure
   • Sophos
   • virus
   • AVP Monitor
   • AVP Updates
   • InoculateIT
   • PC-cillin
   • Symantec
   • Trend Micro
   • F-PROT
   • NOD32



The following files are created:

– A file that is for temporary use and it might be deleted afterwards:
   • %TEMPDIR%\%random character string%%hex number%.exe

%PROGRAM FILES%\%three-digit random character string%%hex number%.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: W32/Elkern.C

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   • wink%three-digit random character string% = %SYSDIR%\wink%three-digit random character string%.exe



The following registry keys are added in order to load the service after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\
   Wink%three-digit random character string%]
   • Type = 110
   • Start = 2
   • ErrorControl = 0
   • ImagePath = %SYSDIR%\wink%three-digit random character string%.exe
   • DisplayName = Wink%three-digit random character string%
   • "ObjectName"="LocalSystem"

– [HKLM\SYSTEM\CurrentControlSet\Services\Winkegh\Security]
   • Security = %hex values

– [HKLM\SYSTEM\CurrentControlSet\Services\Winkegh\Enum]
   • 0 = Root\LEGACY_WINK%three-digit random character string%\0000
   • Count = 1
   • NextInstance = 1

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


Exploit:
In some cases it makes use of the following vulnerability:
– MS01-020 (Incorrect MIME Header Can Cause IE to Execute E-mail Attachment)


From:
The sender address is spoofed.


To:
– Email addresses found in specific files on the system.
–Email addresses gathered from MSN Messenger
–Email addresses gathered from ICQ Messenger


Email design:
 


Subject: Worm Klez.E immunity
Body:
   • Klez.E is the most common world-wide spreading worm.It's very dangerous by corrupting your files.
     Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it.
     We developed this free immunity tool to defeat the malicious virus.
     You only need to run this tool once,and then Klez will never come into your PC.
     NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV monitor maybe cry when you run it.
     If so,Ignore the warning,and select 'continue'.
     If you have any question,please mail to me.
 


Subject: W32.Elkern removal tools
Body:
   • %replacement 1% give you the W32.Elkern removal tools
     W32.Elkern is a dangerous virus that can infect on Win98/Me/2000/XP.
     
     For more information,please visit http://www.%replacement 1%.com
 


Subject: W32.Klez.E removal tools
Body:
   • %replacement 1% give you the W32.Klez.E removal tools
     W32.Klez.E is a dangerous virus that spread through email.
     
     For more information,please visit http://www.%replacement 1%.com
 


From: postmaster@%recipient's domain%
Subject: Undeliverable mail--%random words%
Body:
   • The following mail can't be sent to:
      %receiver's email address%
     
     From: %sender's email address%
     To: %receiver's email address%
     Subject: --%random words%
     The file is the original mail
 


From: postmaster@%recipient's domain%
Subject: Returned mail--%random words%
Body:
   • The following mail can't be sent to:
      %receiver's email address%
     
     From: %sender's email address%
     To: %receiver's email address%
     Subject: --%random words%
     The file is the original mail
 


Subject: A (very/special) %replacement 2% game
Body:
   • (Hello,/Hi,) This is a (very/special) %replacement 2% game
     This game is my first work.
     You're the first player.
     I %replacement 3% you would %replacement 4% it.
 


Subject: A (very/special) %replacement 2% website
Body:
   • (Hello,/Hi,) This is a (very/special)%replacement 2% website
     I %replacement 3% you would %replacement 4% it.
 


Subject: A (very) good/powerful tool
Body:
   • (Hello,/Hi,) This is a (very) good/powerful website
     I %replacement 3% you would %replacement 4% it.
Subject: A IE 6.0/WinXP patch
Body:
   • (Hello,/Hi,) This is a IE 6.0/WinXP patch.
     I %replacement 3% you would %replacement 4% it.


Subject:
In some cases the subject might also be empty.
The subject of the email is constructed out of the following:

    Sometimes it starts with one of the following:
   • Fw:
   • Re:

    Sometimes continued by one of the following:
   • Hi,%username from receiver's email address%,
   • Hello,%username from receiver's email address%,

    Sometimes continued by one of the following:
   • Have a
   • Happy

   • how are you
   • let's be friends
   • darling
   • so cool a flash,enjoy it
   • your password
   • honey
   • some questions
   • please try again
   • welcome to my hometown
   • the Garden of Eden
   • introduction on ADSL
   • meeting notice
   • questionnaire
   • congratulations
   • sos!
   • Christmas
   • New year
   • Saint Valentine's Day
   • Allhallowmas
   • April Fools' Day
   • Lady Day
   • Assumption
   • Candlemas
   • All Souls'Day
   • Epiphany

   • japanese girl VS playboy
   • look,my beautiful girl friend
   • eager to see you
   • spice girls' vocal concert
   • japanese lass' sexy pictures


Body:
–  In some cases it may be empty.


%replacement 1% is expanded to one of the following:
   • Symantec
   • Mcafee
   • F-Secure
   • Sophos
   • Trendmicro
   • Kaspersky


%replacement 2% is expanded to one of the following:
   • new
   • funny
   • nice
   • humour
   • excite


%replacement 3% is expanded to one of the following:
   • wish
   • hope
   • expect


%replacement 4% is expanded to one of the following:
   • like
   • enjoy


Attachment:
The filenames of the attachments is constructed out of the following:

–  It starts with one of the following:
   • %existing file or directory%

    The file extension is one of the following:
   • .exe
   • .scr
   • .pif
   • .bat

–  It starts with one of the following:
   • %existing file or directory%

    The file extension is one of the following:
   • .txt
   • .htm
   • .html
   • .wab
   • .asp
   • .doc
   • .rtf
   • .xls
   • .jpg
   • .cpp
   • .pas
   • .mpg
   • .mpeg
   • .bak
   • .mp3
   • .pdf



The email may look like one of the following:










 Mailing Search addresses:
It searches the following files for email addresses:
   • .txt; .htm; .html; .wab; .asp; .doc; .rtf; .xls; .jpg; .cpp; .pas;
      .mpg; .mpeg; .bak; .mp3; .pdf

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.

It drops a copy of itself to the following network share:
   • %all shared folders%


Infection process:
The downloaded file is stored on the compromised machine as: %existing file or directory%

.txt
.htm
.html
.wab
.asp
.doc
.rtf
.xls
.jpg
.cpp
.pas
.mpg
.mpeg
.bak
.mp3
.pdf

.exe
.scr
.pif
.bat
.rar

 Process termination Processes with one of the following strings are terminated:
   • _AVP32; _AVPCC; NOD32; NPSSVC; NRESQ32; NSCHED32; NSCHEDNT; NSPLUGIN;
      NAV; NAVAPSVC; NAVAPW32; NAVLU32; NAVRUNR; NAVW32; _AVPM; ALERTSVC;
      AMON; AVP32; AVPCC; AVPM; N32SCANW; NAVWNT; ANTIVIR; AVPUPD; AVGCTRL;
      AVWIN95; SCAN32; VSHWIN32; F-STOPW; F-PROT95; ACKWIN32; VETTRAY;
      VET95; SWEEP95; PCCWIN98; IOMON98; AVPTC; AVE32; AVCONSOL; FP-WIN;
      DVP95; F-AGNT95; CLAW95; NVC95; SCAN; VIRUS; LOCKDOWN2000; Norton;
      Mcafee; Antivir; TASKMGR; Sircam; Nimda; CodeRed; WQKMM3878;
      GRIEF3878; Fun Loving Criminal; Norton; Mcafee; Antivir; Avconsol;
      F-STOPW; F-Secure; Sophos; virus; AVP Monitor; AVP Updates;
      InoculateIT; PC-cillin; Symantec; Trend Micro; F-PROT; NOD32


 Miscellaneous String:
Furthermore it contains the following string:
   • Win32 Klez V2.01 & Win32 Foroux V1.0
Copyright 2002,made in Asia
About Klez V2.01:
1,Main mission is to release the new baby PE virus,Win32 Foroux
2,No significant change.No bug fixed.No any payload.

About Win32 Foroux (plz keep the name,thanx)
1,Full compatible Win32 PE virus on Win9X/2K/NT/XP
2,With very interesting feature.Check it!
3,No any payload.No any optimization
4,Not bug free,because of a hurry work.No more than three weeks from having such idea to accomplishing coding and testing

Description inserted by Andrei Gherman on Tuesday, October 9, 2007
Description updated by Andrei Gherman on Tuesday, October 9, 2007

Back . . . .