Klez all you wanted to know...or didnt
Looks like you have to activate it by opeining it but...Hang on here we go...to read this and more go to the best commercial AV site out there
www.antivirus.com
WORM_KLEZ.H
(see also: description and solution)
Variant of: WORM_KLEZ.A
In the wild: Yes
Discovered: Apr. 17, 2002
Detection available: Apr. 17, 2002
Detected by pattern file #: 265
(still using 900-series pattern files?)
Detected by scan engine #: 5.200
Language:
English
Date of origin:
04/17/2002
Platform: Windows
Encrypted: No
Size of virus: 94,932 Bytes
Details:
Mass-mailing routine
To propagate copies of itself, this worm uses its own SMTP engine to send an email containing its executable program. It has several ways of collecting its spoofed source email address and target email address.
It randomly chooses its target users from the above pool of email addresses and from the email address that appear in the From field of the email.
Similar to the other KLEZ variants, this worm can change or spoof the original email address in the FROM: field. It obtains the email addresses that it places in the FROM: field from the infected user's address book. This causes a non-infected user to appear as the person who has sent this worm's malicious email. It does this to hide the real sender of the infected email. The actual email address of the sender is found in the Envelope From field. This email address is taken from the email address of the infected user’s SMTP account and this can be found in the following registry key:
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts
Since the Envelope From field cannot be found in the email body, the only way to get this information is by monitoring Transmission Control Protocol packets.
The subject of the email it sends is composed in a complex manner.
The subject may contain any of the following substrings:
how are you
let's be friends
darling
so cool a flash,enjoy it
Your password
honey
some questions
please try again
welcome to my hometown
the Garden of Eden
introduction on ADSL
meeting notice
questionnaire
congratulations
sos!
japanese girl VS playboy
look,my beautiful girl friend
eager to see you
spice girls' vocal concert
japanese lass' sexy pictures
Undelivarable mail-“%s”
Returned mail-“%s”
%s is a random string.
The subject may also be any of the following:
a %s %s game
a %s %s tool
a %s %s Web site
a %s %s patch
%s removal tools
%s can be any of the following:
new
funny
nice
humour
excite
powful
WinXP
IE 6.0
W32.Elkern
W32.Klez.E
Symantec
Mcafee
F-Secure
Sophos
Trendmicro
Kaspersky
It gathers email addresses from the entries of the default Windows Address Book (WAB). The path and filename of these are identified in the following registry entry:
HKEY_CURRENT_USER\Software\Microsoft\
WAB\WAB4\Wab File Name = “<file and pathname of the WAB file>
The worm also gathers a list of addresses from the following files that are stored on the infected user’s computer:
EXE
SCR
PIF
BAT
TXT
HTM
HTML
WAB
DOC
RTF
XLS
JPG
CPP
C
PAS
MPG
MPEG
BAK
MP3
PDF
Upon execution, this worm decodes its data in the memory. It then copies itself to a WINK*.EXE file in the Windows System directory. The copy has a hidden attribute and the * is a random number of random characters.
It then creates this registry entry so that it executes upon system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
Wink*, "wink*.exe"
* is any random number of random characters.
This worm also infects EXE files. To infect, it encrypts (compresses) the target file and then modifies the file extension with a random name. It also modifies the attributes of the file and sets these to Read-only, Hidden, System, and Archive. Thereafter, this worm copies itself to the original filename of the infected file.
This worm makes sure that its filesize is the same as that of the infected file. To do this, it pads garbage at the end of the infected file.
Similar to WORM_KLEZ.A, this new worm has several threads that accomplish its propagation and payload mechanisms. Its main features are as follows.
Dropping of PE_ELKERN.D
The worm drops a randomly named file in the ProgramFilesDir (usually C:\Program Files). Approximately 10KB in size, this program can infect files in network shared folders and disable system file protection. It can also infect EXPLORER.EXE in memory. This program is detected as PE_ELKERN.D. Oftentimes, it deletes itself after running.
Network Infection
This worm is capable of spreading via shared drives/folders with read/write access. To accomplish this, it enumerates all the shared resources of the network. For shared folders with read/write access, it copies itself to files with randomly generated filenames. The dropped files have the following extensions:
.EXE
.PIF
COM
BAT
SCR
RAR
Occasionally, this worm copies itself to a random filename double extensions. The first extension name can be any of the following:
EXE
SCR
PIF
BAT
TXT
HTM
HTML
WAB
DOC
RTF
XLS
JPG
CPP
C
PAS
MPG
MPEG
BAK
MP3
PDF
The second extension can be any of the extension names first listed.
It then constructs the HTML mail, which contains the base64 encoded worm copy. It randomly generates the filename of the attachment.
It obtains its SMTP server from the registry as follows:
HKEY_LOCAL_MACHINE\Software\Microsoft
Internet Account Manager\Accounts\, SMTP Server
It then sends out to the SMTP server commands to create and send an email. The actual subject and body of the email may be randomly composed.
It does not require the email receiver to open the attachment for it to execute. It uses a known vulnerability in Internet Explorer-based email clients to execute the file attachment automatically. This is also known as Automatic Execution of Embedded MIME type.
The infected email contains the executable attachment registered as content-type of audio/x-wav or sometimes audio/x-midi so that when recipients view the infected email, the default application associated with audio files is opened. This is usually the Windows Media Player. The embedded EXE file cannot be viewed in Microsoft Outlook.
More information about this vulnerability is available at Microsoft’s Security Bulletin.
Antivirus Retaliation Procedure
The worm disables the running processes, and occasionally deletes the executable files of programs associated with the following names of antivirus products:
_AVP32
_AVPCC
NOD32
NPSSVC
NRESQ32
NSCHED32
NSCHEDNT
NSPLUGIN
NAV
NAVAPSVC
NAVAPW32
NAVLU32
NAVRUNR
NAVW32
_AVPM
ALERTSVC
AMON
AVP32
AVPCC
AVPM
N32SCANW
NAVWNT
ANTIVIR
AVPUPD
AVGCTRL
AVWIN95
SCAN32
VSHWIN32
F-STOPW
F-PROT95
ACKWIN32
VETTRAY
VET95
SWEEP95
PCCWIN98
IOMON98
AVPTC
AVE32
AVCONSOL
FP-WIN
DVP95
F-AGNT95
CLAW95
NVC95
*SCAN* (any character can be in place of *)
*VIRUS* (* is any character)
LOCKDOWN2000
Norton
Mcafee
Antivir
TASKMGR
The worm also scans for the above strings, and deletes them if found as values in the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
Finally, the worm searches for and then deletes the following files:
ANTI-VIR.DAT
CHKLIST.DAT
CHKLIST.MS
CHKLIST.CPS
CHKLIST.TAV
IVB.NTZ
SMARTCHK.MS
SMARTCHK.CPS
AVGQT.DAT
AGUARD.DAT
Stealth Routine
On Windows 98/95 systems, the worm registers itself as a service process to hide itself from the taskbar. On Windows 2000 systems, the worm creates a system service and registers it as a service control dispatcher. In this way the service control manager always calls the worm service upon Windows startup.
Notes On Window NT 4.0 and Earlier Versions
This worm does not perform its Antivirus Retaliation routine on machines running NT 4.0 or lower, due to an unavailability of system functions or APIs it uses to kill the antivirus-related processes.
Although it does not execute on WinNT 4.0 and earlier versions, infection of machines with this operating system is still possible if the machine has shared folders. The dropped virus, PE_ELKERN.D infects files in shared drives. When this happens, a full infection of the system may ensue since PE_ELKERN.D executes on any Windows platform.
It has been verified that the infection method of WORM_KLEZ.H (the main worm, not PE_ELKERN.D) is of companion type. When this worm infects an EXE file, it compresses the host file using RLE compression then renames its extension name into a random name. The basename, however, is retained. Its attribute is then set to Read-only, Hidden, System and Archive, afterwhich, the worm creates a copy of itself in that same directory taking the original filename and the icon of the original file. The worm also changes its filesize to be exactly the same as the host file, by padding garbage data at the end of the file. Example: If the worm has infected file.exe, then file.exe is replaced by the worm, with the same icon and size. file.xfp is the original host file which was compressed. Its attribute is set to hidden, read-only, system, and archive. It is located in the same directory as file.exe.
The worm body contains the text strings:
Win32 Klez V2.01 & Win32 Foroux V1.0
Copyright 2002,made in Asia
About Klez V2.01:
1,Main mission is to release the new baby PE virus,Win32 Foroux
2,No significant change.No bug fixed.No any payload.
About Win32 Foroux (plz keep the name,thanx)
1,Full compatible Win32 PE virus on Win9X/2K/NT/XP
2,With very interesting feature.Check it!
3,No any payload.No any optimization
4,Not bug free,because of a hurry work.No more than three weeks from having such idea to accomplishing coding and testing
