Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Klez.H@mm

Overview

Threat Risk LOW LOW
Destructivity NONE NONE
Payload Removes antivirus programs
Detection files published 16 Apr 2002 03:00:00
Description created 17 Apr 2002 05:58:00
Description updated 26 Feb 2003 03:41:00
Malware type WORM
Alias W32.Klez.G
Spreading mechanism NETWORK
Summary None

W32/Klez.H@mm

Spreading

When the worm is started it will copy itself to the System directory using a name "Wink*.exe" where the asterisk denotes a random combination of letters. It will add an entry in the Registry so that it is loaded from startup.
On Win9x/ME:
HLKMSoftwareMicrosoftWindowsCurrentVersionRunWink* = %SystemDir%Wink*.exe
On Win NT/2000/XP:
HKLMSystemCurrentControlsetServicesWink* = %SystemDir%Wink*.exe
The worm will set up many concurrent threads which perform different tasks.
Thread one:This thread will go through running processes and look whether they contain certain words (Ref WL01) within the first 512k of the process' own memory space. If any of these words are found, the process will be attempted killed, and the accompanying program file will be deleted (provided it does not reside in the dllcache directory).
Note that the fact that the word list contains virus names will not always affect the viruses in question since some of them do not contain their own name - but it will certainly affect antivirus programs and fixup tools. Viruses may be affected if they contain the word "virus" though, and other programs may be accidentally killed if they should happen to encompass random memory data containing any of these words.
In addition, it will check if file names belonging to running processes contain words from another word list (Ref WL02). If so, these programs will be killed/deleted in the same way as described over.
The registry keys
HLKMSoftwareMicrosoftWindowsCurrentVersionRun and
HLKMSoftwareMicrosoftWindowsCurrentVersionRunServices are checked for the precence of antivirus programs in the WL02 list. If so, they are removed from registry.
On Win9x/ME this thread also continuously refreshes the worm's own Run key in the Registry.
Thread two:This is the mailsending thread. It will once a minute check whether the computer is connected to the Internet. If it is, it will scan the Windows Address Book, ICQ databases (if present) and .txt, .htm and .html files on local drives for email addresses. It will attempt to use the locally defined default mail server to transmit mail, or, if that does not respond, it will attempt to guess at possible mail servers by adding 'smtp.' to domain names it finds in mail addresses.
If this guessed mail server works, the worm will preserve the email address it used as basis for the mail server address in an internal list. If the guessed mail server does not work either, it will look into this internal list and attempt to use up to six random servers stored from previous connects.
If none of these work either, it has a hard-coded list of known mail servers it will attempt to use. (WL22).
The mails are composed semi-randomly, based on a set of word lists and conditions:
Subject:& lt;optional WL 14& gt;& lt;WL08& gt;
Body text: noneE.g.
 
Subject:FW:some questionsor
 
Subject: A & lt;WL18& gt;& lt;WL06& gt;& lt;WL15& gt;
Body text:& lt;optional WL14& gt;This is a & lt;optional WL18& gt;& lt;WL06& gt;& lt;WL15& gt;
I & lt;WL20& gt; you would & lt;WL19& gt; it.
E.g.
 
Subject: A very new website
Body text:
Hello,This is a special new website
I hope you would enjoy it.or
 
Subject: & lt;WL07& gt; removal tools
Body text:
& lt;WL07& gt; is a & lt;WL18& gt;dangerous virus that & lt;WL21& gt;
& lt;WL09& gt;give you the & lt;WL07& gt; removal tools
For more information,please visit http://www.& lt;WL09& gt;.comE.g.
 
Subject: W32.Klez.E removal tools
Body text:
W32.Klez.E is a dangerous virus that spread through email.
F-Secure give you the W32.Klez.E removal tools
For more information,please visit http://www.F-Secure.comor
 
Subject: Worm Klez.E immunity
Body text:
Klez.E is the most common world-wide spreading worm.It's very dangerous by corrupting your files.
Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it.
We developed this free immunity tool to defeat the malicious virus.
You only need to run this tool once,and then Klez will never come into your PC.
NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV monitor maybe cry when you run it.
If so,Ignore the warning,and select 'continue'
If you have any question,please mail to me (link to email address)or
 
Subject: & lt;WL12& gt;& lt;WL08& gt;
Body text:
The following mail can’t be sent to & lt;random address& gt;
From: & lt;email address& gt;
To: & lt;random address& gt;
Subject: & lt;WL08& gt;
& lt;WL13& gt; is the original mailThe emails of this type will appear to come from 'postmaster'.
or
 
Subject: A random set of words and/or letters found in local files
Body text: noneor
 
No subject or body text.There is a chance that the worm will check the date and compose a date-related mail, if the date is within a a specific range from certain dates. Such emails will have the following format on the subject field:
Subject: & lt;WL11& gt; & lt;optional WL06& gt; & lt;WL10& gt;
Body text: noneE.g.
Subject: Have a nice April Fools' Day
 
The viral attachment will be named randomly based on file names or contents of files the worm has found, or just a random combination of letters. The file extension will be either .exe, .pif, .scr or .bat. In many cases the file names will have double extension - in those cases the second last extension will be found in the word list WL03.
In addition, the email has a chance of containing another file attachment of one of the file types found in word list WL03. This is a random file the worm has found on the disk, and may contain private or confidential information. If the file size is 51200 bytes or less, the chance is 50% that it will be included, if the file size is between 51200 and 512000 bytes, the chance is 25% that it will be included. Bigger files are not included.
Please note that the email address used for sender is filled in by the worm based on addresses it finds in local files and will often not reflect the real sender.
When the virus spreads via email, the user(s) may be infected with only reading or previewing the mail. This is accomplished using a known security hole "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment".
Information and patch is available from: Microsoft's security Bulletin 20/2001
The security hole is a known issue with Internet Explorer versions 5.01 and 5.5 without SP2. Users who have this configuration should apply the available patch.
Thread three:This thread will once every two hours attempt to open and enumerate remote resources, and if the resource is a disk, the worm will copy itself over to the remote machine.
On WinNT/2000/XP-based machines it will attempt to install the remote copy of itself as a service on the remote machine. It will also attempt to install itself in the Registry database of the remote machine, under the HKLMSoftwareMicrosoftWindowsCurrentversionRunOnce key. This has the effect that the worm is loaded during bootup.
In addition, the worm copies over a copy of itself stored inside a RAR archive. The file name inside the archive will be composed of strings from the WL16 and WL04 word lists - f.ex. snoopy.exe or install.pif.
Thread four:This is the file-infecting thread. Klez will every hour look for programs mentioned in the 'App Paths' key in Registry, and attempt to infect them if they fulfill certain criteria. The infection is so-called companion style - the original file is copied to a hidden file with the same main file name, but with a random extension. Klez will take its place, using the same name and even preserving the file size and resource information of the original so that no obvious change will be noticeable. In addition to being moved to a different file name, the original program is also compressed so that it cannot be run even if renamed back to the original program name.
A program is eligible for infection if it is not protected by the System File Checker in Win2000 or XP, if the file name does not contain any of the names mentioned in the word list WL05, and if the file is between 86016 and 3145728 bytes long.
When such an infected program is run, the worm finds and extracts the original file, and executes it. The file is extracted to a file using the full path name of the infected file, just removing the backslashes and periods, and finally appending a '.EXE'. E.g. if the infected program is called C:SetupSetup.exe, and the compressed original is called C:SetupSetup.gfr, the worm will extract the original program to a file called 'csetupsetupgfr.exe' and execute it. It will not be particularly noticeable that the program that was run was actually infected.
Thread five:This thread will create a file with a random name in the Program Files directory, and execute it. This file is 10240 bytes long and installs the W32/ElKern.C virus.
Thread six:This thread will look for and delete antiviral checksum databases (WL17) in the Internet Explorer cache directories.
Thread seven to thirtytwo:Thread seven to thirtytwo look for and delete antiviral checksum databases (WL17) on all locally mapped drives A: to Z:
 

Payload Details

The worm actively attacks and deletes antivirus programs - and sometimes accidentally deletes other innocent programs as well.

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:11