This page shows details and results of our analysis on the malware W32/Klest


This description is for a worm that is capable of spreading through removable devices and network shares.

The characteristics of this worm in regards to file names, folders created etc. will differ from one version to another. Hence, this is a general description.

Minimum Engine


File Length

Description Added


Description Modified


Malware Proliferation


When executed, this worm drops the following files:

  • %System%\aurorun.bat
  • %System%\autorun.inf
  • %System%\autorun.exe
  • %System%\autorun.vbs
  • %System%\autorun.reg

It then modifies the following registry entries:

  • Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run
    "autorun" = "%system%\autorun.exe"
  • Hkey_Local_Machine\Software\Microsoft\Windows\Currentversion\Explorer\Advanced
    "Showsuperhidden" = "0"
  • Hkey_Local_Machine\Software\Microsoft\Windows\Currentversion\Explorer\Advanced
    "Hidden" = "2"

The worm also enumerates all network shares and local drives and copies itself along with an autorun.inf file, which causes the worm to execute when users navigate to the folders containing the worm file.


  • %System% is a variable location and refers to the windows system directory
  • The files dropped/created may have their attributes changed to hidden and read only
    to make them harder to find


Presence of files and registry entries mentioned.

Method of Infection

This worm spreads by copying itself to network shares and to removable devices, along with an Autorun.inf file.

Infection starts either with manual execution of the infected file or by simply navigating to the folders containing the infected files, whereby the Autorun.inf file could cause automatic execution of the worm.


A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.