W32/Klez.h@MM has a number of similarities to previous W32/Klez variants, for example:
- W32/Klez.h@MM makes use of Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability in Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2).
- the worm has the ability to spoof the From: field (often set to an address found on the victim's machine).
- the worm attempts to unload several processes (antivirus programs) from memory including those containing the following strings:
The worm is able to propagate over the network by copying itself to network shares (assuming sufficient permissions exist). Target filenames are chosen randomly, and can have single or double file extensions. For example:
The worm may also copy itself into RAR archives, for example:
The worm mails itself to email addresses in the Windows Address Book, and to addresses extracted from files on the victim's machine. It arrives in an email message whose subject and body is composed from a pool of strings carried within the virus (the virus can also add other strings obtained from the local machine). For example:Subject:
A very funny website
A WinXP patch
A IE 6.0 patch
W32.Elkern removal tools
W32.Klez.E removal tools
The file attachment name is again generated randomly, and ends with an .exe, .scr, .pif, or .bat extension, for example:
Thanks to the use of the exploit described above, simply opening or previewing the message in a vulnerable mail client can result in an infection of the victim's machine.
W32/Klez.h@MM masquerades as a free immunity tool in at least one of the messages used. Below is the message sent by the virus itself.Subject:
Worm Klez.E Immunity Body:
The worm may send a clean document in addition to an infected file. A document found on the hard disk, that contains one of the following extensions, is sent:
This payload can result in confidental information being sent to others.