W32/Elkern.cav

This page shows details and results of our analysis on the malware W32/Elkern.cav

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.


Minimum DAT

4168 (2001-10-31)

Updated DAT

4168 (2001-10-31)

Minimum Engine

5400.1158

File Length

0

Description Added

2001-10-26

Description Modified

2002-10-17

Malware Proliferation

Characteristics

--- Update July 12, 2002 ---
New variant appeared - W32/Elkern.cav.d which only replicates under Windows 2000. Just like other variants it uses "split cavity" infection method and uses "WQ" marker to recognise already infected files. Note that this variant is not related to any new W32/Klez variant. This new variant is detected generically since October, 2001.

--- Update June 11, 2002 ---
All W95/Elkern variants were renamed to W32/Elkern.

--- Update April 20, 2002 ---
A new variant was recently discovered (W32/Elkern.cav.c) which is dropped by a new W32/Klez variant, W32/Klez.h. W32/Elkern.cav.c detection and removal will be included in the 4198 DATs. Current DATs often detect these samples as W32/NGVCK.a or New Win32 with program heuristics.

--- Update January 24, 2002 ---
A new variant was recently discovered (W32/Elkern.cav.b) which is dropped by a new W32/Klez variant (some call it W32.Klez.E@mm). These new variants of W32/Klez and W32/Elkern both require minimum 4182 DATs for detection/removal.

The W32/Klez@MM worm carries W32/Elkern.cav virus inside and drops it when activated.

  • When a virus-infected file is run on a Win98/ME system, it copies this very file to the \WINDOWS\SYSTEM folder under the name WQK.EXE (and marks it as a hidden file). So the size and contents of WQK.EXE can vary. The virus also modifies WQK.EXE file not to have any icon displayed by wiping the pointer to its resources (that is where the icons are stored).
    Then the virus adds an entry to the Registry's key to run the WQK.EXE file on every reboot.

    After a reboot the virus infects random EXE files by either expanding the last section of the host file or by going into cavities without changing the host files' size at all.

  • When a virus-infected file is run on a WinNT/2000/XP system, it copies itself to the file WQK.DLL in the SYSTEM32 directory and creates a registry key value to load the virus:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Windows\AppInit_DLLs=Wqk.dll

This virus is network-aware and can spread through a local network. It also contains a payload to overwrite files with zeros while maintaining the original file size. This can result in critical files being overwritten and thus an inability to load the operating system after infection occurs.

The virus can infect and does infect its own carrier - W32/Klez@MM worm. That is why files specific to both W32/Klez@MM and W32/Elkern.cav are likely to coexist on the same computer. If you suspect W32/Elkern.cav virus on your computer you are strongly advised to read a description of W32/Klez@MM.

Symptoms

- Presence of WQK.EXE or WQK.DLL in C:\WINDOWS or C:\WINDOWS\SYSTEM having "hidden" attribute.
- Changes to 32 bit PE (.EXE) files
- Inability to boot to Windows

Method of Infection

The W32/Elkern virus may be dropped by the W32/Klez@MM worm. The W32/Elkern virus infects 32 bit PE file type .EXE files on the local machine and on network drives.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

But in some particular cases, the following steps need to be taken.

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

  • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
  • Select the Windows installation that is compromised and provide the administrator password.
  • Issue 'fixmbr' command to restore the Master Boot Record
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

  • Insert the Windows CD into the CD-ROM drive and restart the computer.
  • Click on "Repair Your Computer".
  • When the System Recovery Options dialog comes up, choose the Command Prompt.
  • Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.

Variants

W32/Elkern.cav.b
W32/Elkern.cav.c
W32/Elkern.cav.d