W32/Klez.e@MM

This page shows details and results of our analysis on the malware W32/Klez.e@MM

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.


Minimum Engine

5600.1067

File Length

about 80kbytes

Description Added

2002-02-20

Description Modified

2002-08-01

Malware Proliferation

Characteristics

-- Update 3/4/2002 --
Due to a slow, but steady, increase in prevalence over the past few weeks, AVERT has raised the risk assessment of this threat to MEDIUM.

This W32/Klez variant has the ability to spoof the email FROM: field. The senders address used by the virus, may be one that was found on the infected user's system. Thus, it may appear that you have received this virus from one person, when it was actually sent from a different user's system. Viewing the entire email header will display the actual senders address.

This worm makes use of Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability in Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2)

This worm arrives in an Email message with a subject and body randomly composed from a rather long pool of strings that the virus carries inside itself (the virus can also add other strings):

"Hi, Hello, Re: Fw: Undeliverable mail-- Returned mail-- game a tool a website new funny nice humour excite good powful WinXP IE 6.0 W32.Elkern W32.Klez how are you let's be friends darling don't drink too much your password honey some questions please try again welcome to my hometown the Garden of Eden introduction on ADSL meeting notice question naire congratulations sos! japanese girl VS playboy look, my beautiful girlfriend eager to see you spice girls' vocal concert japanese lass' sexy pictures Symantec Mcafee F-Secure Sophos The following mail can't be sent to The attachment The file is the original mail give you the is a dangerous virus that can infect on Win98/Me/2000/XP. spread through email. very special For more information,please visit This is I you would it. enjoy like wish hope expect Christmas New year Saint Valentine's Day Allhallowmas April Fools' Day Lady Day Assumption Candlemas All Souls'Day Epiphany Happy Have a"

In our experiments we have, for example, observed the following Subject lines (more common at the top):

Subject: Document End
Subject: Happy Lady Day
Subject: From
Subject: Eager to see you
Subject: Returned mail--"Document End "
Subject: HEIGHT
Subject: A WinXP patch
Subject: Hi,spice girls' vocal concert
Subject: Happy nice Lady Day
Subject: Have a humour Lady Day
Subject: Happy good Lady Day
Subject: ALIGN
Subject: Have a good Lady Day
Subject: Undeliverable mail--"IIS services with this Web administration tool."
(the virus can also send mails with empty Subject and/or body)

This virus can also unload several antivirus programs from memory.

Symptoms

1) The worm interferes with running programs and frequently displays a fake error message:

Note - the name displayed is random but is always an EXE.

2) Alien WINKxxx.EXE files in \WINDOWS\SYSTEM folder (ex., WINKIDT.EXE or WINKKR.EXE).

3) Reference to a WINKxxx.EXE file (and "xxx" looks random) in a registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run or HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

4) Executable files have "companions" of about the same size and random extension (ex., apart from MSOFFICE.EXE you may have MSOFFICE.HRH which is a hidden system file). On top of that if you run an infected file you will temporarily have a third file with "~1" in the name (ex., NETSCAPE.EXE will not only have NETSCAPE.PXB but also NETSCA~1.EXE of exactly the same size as NETSCAPE.EXE). This third file is a reconstructed host and it is deleted by the worm once you quit the program.

5) This worm also causes serious system performance degradation and some programs stop running.

Method of Infection

When the Email is opened the worm immediately activates using mentioned vulnerability (previewing the message may be enough if your system is not patched). The worm copies itself under WINKxxx.EXE name (where xxx are random characters) into the WINDOWS\SYSTEM folder (can be different if your installation is not a default one) and this file is set to run every time the system starts.

W32/Klez.e@MM is based on the W32/Klez.gen@MM but unlike its predecessors this variant can itself infect files (on top of being able to also drop W95/Elkern.cav.b virus). W32/Klez.e@MM worm overwrites files and they are padded with zeroes to the original uninfected host size. The worm saves original contents of the hosts in files with the same name and random extension. These files are "Hidden" and "System" (to be able to see them you need to change "View/Folder Options" in Windows Explorer by selecting "Show all files").

Running infected files causes the worm to reconstruct the uninfected host file using saved data. Such reconstructed files will have "~1" appended to the name (ex., infected MSOFFICE.EXE will be accompanied by an uninfected MSOFFI~1.EXE). The worm deletes them as soon as the program stops running so they exist only temporarily.

W32/Klez.e@MM sends itself out using SMTP protocol. It harvests the Windows address book for email addresses.

The virus may save a copy of itself into .RAR archives.

There is a date-activated payload associated with this threat. On the 6th day of March, May, September, or November, the virus may overwrite local and network files containing the following extensions with zeros: .txt, .htm, .html, .wab, .doc, .xls, .jpg, .cpp, .c, .pas, .mpg, .mpeg, .bak, or .mp3.

If the month is January or July, all files may be overwritten. This behavior was not observed in a lab environment.

Removal

Use current engine and DAT files for detection.

Once infected, VirusScan may not be able to run as the virus can terminate the process before any scanning/removal is accomplished.

This can make the removal of the virus more difficult for users. As such, AVERT has released a removal tool to assist infected users with this virus.

Alternatively, the following steps will circumvent virus and allow for proper VirusScan scanning/removal, by using the command-line scanner.
  1. Ensure that you are using the minimum DAT specified or higher.
  2. Close all running applications
  3. Disconnect the system from the network
  4. Go to a command prompt, then change to the VirusScan engine directory:
    • Win9x/ME - Click START | RUN, type command and hit ENTER.
      Type cd \progra~1\common~1\networ~1\viruss~1\40~1.xx and hit ENTER
    • WinNT/2K/XP - Click START | RUN, type cmd and hit ENTER.
      Type cd \progra~1\common~1\networ~1\viruss~1\4.0.xx and hit ENTER
  5. Rename SCAN.EXE to CLEAN.EXE to prevent the virus from terminating the process and deleting files. Type, ren scan.exe clean.exe and hit ENTER
  6. First, scan the system directory
    • Win9x/ME - Type clean.exe %windir%\system\win*.exe and hit ENTER
    • WinNT/2K/XP - Type clean.exe %windir%\system32\win*.exe and hit ENTER
  7. Once the scan has completed, Type clean.exe /adl /clean and hit ENTER
  8. Rename scan.exe. Type, ren clean.exe scan.exe and hit ENTER
  9. After scanning and removal is complete, reboot the system

Apply Internet Explorer patch if necessary.

Klez can delete anti-virus software files. It may be necessary to reinstall VirusScan after cleaning a system.

Additional Windows ME/XP removal considerations

Variants