McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

W32/Klexe@MM

This page shows details and results of our analysis on the malware W32/Klexe@MM

Threat Detail

Malware Type: Virus

Malware Sub-type: Internet Worm

Discovery Date: 2003-06-28

Next Steps:

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.


Minimum DAT

4274 (2003-06-30)

Updated DAT

4274 (2003-06-30)

 Minimum Engine

5.1.00

File Length

28,672 ecmsetup1.exe
36,864 kl.exe

Description Added

2003-06-29

Description Modified

2003-06-30

Malware Proliferation

Characteristics

This is a mass-mailing worm, which spreads via Microsoft outlook.

It arrives with this email message:

Subject: Re:
Message: You received this email because you where sent a 'pass this on e-messenger card' through one of our valued partners. If you believe you received this message in error or would no longer like to receive e-mail from us click here
http://www.geocities.com/ecardmessenger/us.htm

To download your card click on the link below:

http://www.geocities.com/ecardmessenger/blocked.zip

P.S. If you received this message but do not know the sender or wish to unsubscribe or if you have any questions, please mail to services@emmsconline.com.


Clicking on the link downloads these two files:

  • ecmsetup1.exe
  • kl.exe

Running of the ecmsetup1.exe will send the above email message to all addresses from Outlook Global Address List.

It copies kl.exe to following:

  • c:\windows\startm~1\programs\startup\Windows Explorer.exe
  • d:\windows\startm~1\programs\startup\Windows Explorer.exe
  • e:\windows\startm~1\programs\startup\Windows Explorer.exe
  • f:\windows\startm~1\programs\startup\Windows Explorer.exe

It uses the default SMTP server to send a message to this address:

  • cardvict@rediffmail.com
The message contains local machine name, ip address, username and current time.

The worm displays the following error message box:

The executable kl.exe can act as a key-logger and send information to the following address:

  • cardmessenger@rediffmail.com

Symptoms

Mass-mailing via Outlook.
Existence of the files mentioned above.

Method of Infection

The worm spreads via Microsoft Outlook.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

United States - English