This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
4246 (2003-02-05)Updated DAT
This worm spreads via network shares, peer-to-peer file-sharing software, and floppy diskettes. The worm contains a payload to initiate a Denial of Service attack against 3 white supremacist websites. The worm propagates via KaZaa using filenames found on the infected system, and the following names:
The worm also copies itself to c:\klez_removal.exe and creates a registry run key to load itself at startup:
A copy of the worm is saved to the A: drive as:
On the 5th, 15th, and 25th of the month, a Denial of Service attack is initiated against 3 white supremacist websites and the following network share propagation is attempted.
Network Share Propagation
The worm creates the file c:\Autostart.bat, which redirects the output of the NET VIEW command to the file c:\ntwrk32.dll. This file provides the virus a list of systems in the current workgroup for the worm to spread to. Using the share c, the worm copies itself to the following paths:
This worm spreads through the KaZaa, and WinMX file-sharing applications. It also may spread through network share propagation.
Use specified engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).