W32/Klest

This page shows details and results of our analysis on the malware W32/Klest

Overview

This description is for a worm that is capable of spreading through removable devices and network shares.

The characteristics of this worm in regards to file names, folders created etc. will differ from one version to another. Hence, this is a general description.


Minimum DAT

5020 (2007-04-30)

Updated DAT

5067 (2007-07-04)

Minimum Engine

5400.1158

File Length

Description Added

2007-04-30

Description Modified

2007-08-23

Malware Proliferation

Characteristics

When executed, this worm drops the following files:

  • %System%\aurorun.bat
  • %System%\autorun.inf
  • %System%\autorun.exe
  • %System%\autorun.vbs
  • %System%\autorun.reg

It then modifies the following registry entries:

  • Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run
    "autorun" = "%system%\autorun.exe"
  • Hkey_Local_Machine\Software\Microsoft\Windows\Currentversion\Explorer\Advanced
    "Showsuperhidden" = "0"
  • Hkey_Local_Machine\Software\Microsoft\Windows\Currentversion\Explorer\Advanced
    "Hidden" = "2"

The worm also enumerates all network shares and local drives and copies itself along with an autorun.inf file, which causes the worm to execute when users navigate to the folders containing the worm file.

Note:

  • %System% is a variable location and refers to the windows system directory
  • The files dropped/created may have their attributes changed to hidden and read only
    to make them harder to find

Symptoms

Presence of files and registry entries mentioned.

Method of Infection

This worm spreads by copying itself to network shares and to removable devices, along with an Autorun.inf file.

Infection starts either with manual execution of the infected file or by simply navigating to the folders containing the infected files, whereby the Autorun.inf file could cause automatic execution of the worm.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

 

Variants