Virus Profile: W32/Klez.gen@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 10/26/2001
Date Added: 10/26/2001
Origin: Asia
Length: 57,345
Type: Virus
Subtype: Worm
DAT Required: 4168
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

Presence of a file called KRN132.EXE in the WINDOWS SYSTEM folder

Methods of Infection

Aliases

Klaz (F-Secure), TROJ_KLEZ.C (Trend), W32.Klez.D@mm (NAV), W32/Klez (Panda) , W32/Klez.a@MM , W32/Klez.b@MM , W32/Klez.dam, W32/Klez.eml, W32/Klez.rar, W32/Klez@MM , Win32.Klez.D@mm (AVX)
   

Virus Characteristics

Later versions of this virus (please check the description for W32/Klez.e@MM) have the ability to spoof the email from field. Below is a general description about the Klez worm family.

This worm makes use of the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability in Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2)

It arrives in an email message containing the following information:

From: king@21cn.com
or From: flag@21cn.com
or From: super@21cn.com
or From: zhangcheng77@online.sh.cn
or From: broused@online.sh.cn
or From: lbhuangsy@21cn.com
or From: kqlbaby@21cn.com
or From: jiemin@citiz.net
or From: feiyiming@citiz.net
or From: lllwww@online.sh.cn
or From: tomyjiang18@21cn.com
or From: luxianchu@21cn.com
or From: kqlbaby@21cn.comlin
or From: yuezhi@citiz.net
or From: zhangcheng77@online.sh.cn
or From: zbzwy@21cn.com
or From: sarge2010@21cn.com

Subject: Hello
or Subject: How are you?
or Subject: Can you help me?
or Subject: We want peace
or Subject: Where will you go?
or Subject: Congratulations
or Subject: Don't cry
or Subject: Look at the pretty
or Subject: Some advice on your shortcoming
or Subject: Free XXX Pictures
or Subject: A free hot porn site
or Subject: Why don't you reply to me?
or Subject: How about have dinner with me together?
or Subject: Never kiss a stranger

Body: (The text is hidden from HTML capable mail clients as it is within HTML COMMENT tags)
I'm sorry to do so,but it's helpless to say sorry. I want a good job,I must support my parents. Now you have seen my technical capabilities. How much my year-salary now? NO more than $5,500. What do you think of this fact? Don't call my names,I have no hostility. Can you help me?

Attachment: Varies

When run, the worm creates a copy of itself in the Windows system folder called KRN132.EXE and creates a registry run key to load itself at startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run\Krn132=C:\WINDOWS\SYSTEM\krn132.exe

The worm contains a virus called W95/Elkern.cav which is dropped into the Windows system folder with WQK.EXE and the following registry run key is created:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run\WQK=C:\WINDOWS\SYSTEM\WQK.EXE

Read a description of W95/Elkern.cav: W95/Elkern.cav

The worm contains code that enumerates network resources looking for open shares to infect. This enumeration is repeated at 8 hourly intervals. The worm also contains code to scan mapped drives, but due to a bug it only scans drive A:, the check fails because drive A: is not normally a fixed or remote drive.

Variants

Variants information
Virus Name Type Subtype Differences
W32/Klez.d@MM Virus Internet Worm Minor differences only; WinSvc.exe replaces the name krn132.exe
Minimum DAT 4170
   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations