Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Klez.E@mm

Overview

Threat Risk LOW LOW
Destructivity MEDIUM MEDIUM
Payload Corrupts files. Disables antivirus software.
Detection files published
Description created 17 Jan 2002 08:18:00
Description updated 26 Feb 2003 03:40:00
Malware type WORM
Alias W32/Klez.F
I-Worm.Klez.E
Stemdil
Spreading mechanism EMAIL
FILE_INFECTION
NETWORK
Summary None

W32/Klez.E@mm

Spreading

When the worm is first executed, it copies itself to the Windows System directory using a semi-random name WINK????.EXE and creates a registry key to point to itself so it is loaded during startup.

At this time it also writes a file called WQK.EXE (on Win98) or WQK.DLL (on Win 2000) which is located in the Windows System directory. This file is another file infecting virus, W32/ElKern.B.

The worm attempts to send itself to addresses picked from the Windows Address book and other sources.

The email subject and body texts are composed out of a number of strings and are variable.

The attachment file name is also semi-random, the extension is either PIF, EXE, SCR or BAT.

When the worm spreads via email the user(s) may be infected by only previewing or opening the mail in Outlook/Outlook Express. This is accomplished using a known security hole "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment".

Information and patch is available from: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp

The security hole is a known issue with Internet Explorer versions 5.01 and 5.5 without SP2 . Users who have this configuration should apply the available patch.

The worm also spreads over network shares. It copies itself over to remote machines in two turns - once as a regular worm file, once as a small RAR archive containing the worm.

As if this was not enough, the worm has also now basic file-infecting capabilities. It prepends itself to executables that it finds on the user's hard disk.

Payload Details

The worm scans for and kills a number of known antivirus utilities in memory, among them the previous version of Lumension Virus Control. It does not directly affect NVC version 5 or later. However, it does also kill and delete any process that opens an infected file, and this may of course interfere with the operation of any antivirus software.The worm may corrupt other important files. In our tests on Win98, the important system file VMM32.VXD was destroyed. There is also a date-triggered payload where files of a number of different document formats are overwritten on the 6th of odd numbered months.

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:15