Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Elkern.A

Overview

Threat Risk MEDIUM MEDIUM
Destructivity MEDIUM MEDIUM
Payload File destruction
Detection files published 29 Oct 2001 03:00:00
Description created 05 Nov 2001 05:53:00
Description updated 17 Jan 2002 02:36:00
Malware type VIRUS
Alias
Spreading mechanism FILE_INFECTION
NETWORK
OTHER
Summary None

W32/Elkern.A

Spreading

This is the virus which is planted by the
W32/Klez.A and B worms.

It will work properly only under some Windows installations. The virus installs itself as a hidden file in the Windows system directory under the name WQK.EXE, and adds a key to the registry that automatically starts WQK.EXE on bootup. It will also try to nstall itself when run on Windows NT/2000, but then uses the name WQK.DLL.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WQK = %System%\WQK.EXE

The virus is polymorphic, and will add itself to Windows executable files on the local hard disk and on network resources that the user has write access to. Infected files may or may not increase in size - this depends on the virus' choice of infection method.


Payload Details

The virus will trigger a payload on the 13th of every March and September, which will destroy files on local and network disks the virus has access to. The payload may also be triggered outside of these dates, but the chance of that is small, since it is based on one single outcome of a pseudo-random routine capable of generating 65536 results.

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:14