What is Klez Worm and How Did I
Get It?
Klez was the most widespread virus
in 2002, and continued its dominance of the virus world for 2 years.
Its a mass-mailing worm that exploits
a vulnerability that opens an executable attachment even in Microsoft
Outlook's preview pane. More information about this vulnerability is
available at Microsoft Security Bulletin and a security update is
available at Microsoft's Security Update.
Klez
employs a number of random actions that make it hard for many computer
users to identify the virus when it arrives in their inboxes. The virus
arrives in e-mails with varying subject lines, or sometimes appears to
be a bounced e-mail or a tool that can purge Klez from an infected
system. It spoofs the From line in the email, deceiving the recipient
as to who sent them the virus.
|
|
Recipients of the virus-laden e-mails, not understanding
that the "From" information is virtually always phony -- or even that
they have received a virus -- have been clogging networks with angry
and confused e-mails that are causing a great deal of cyber-havoc.
People signing up for newsletters and mailing lists that
they never subscribed to has been a major source of frustration for
both users and the list owners. If Klez happens to send an
e-mail "from" a user to an e-mail list's automatic subscribe address,
the list software assumes the e-mail is a valid subscription request
and begins sending mail to the user.
It obtains the email addresses that it places in the
FROM: field from the infected user's address book. This causes a
non-infected user to appear as the person who has sent this worm's
malicious email. It does this to hide the real sender of the infected
email. The actual email address of the sender is found in the Envelope
From field.
The subject of the email it sends is composed in a
complex manner.
- The subject may contain any of the following
substrings:
- how are you
- let's be friends
- darling
- so cool a flash,enjoy it
- Your password
- honey
- some questions
- please try again
- welcome to my hometown
- the Garden of Eden
- introduction on ADSL
- meeting notice
- questionnaire
- congratulations
- sos!
- japanese girl VS playboy
- look,my beautiful girl friend
- eager to see you
- spice girls' vocal concert
- japanese lass' sexy pictures
- Undelivarable mail-“%s”
- Returned mail-“%s”
%s is a random string.
- The subject may also be any of the following:
- a %s %s game
- a %s %s tool
- a %s %s Web site
- a %s %s patch
- %s removal tools
%s can be any of the following:
- new
- funny
- nice
- humour
- excite
- powful
- WinXP
- IE 6.0
- W32.Elkern
- W32.Klez.E
- Symantec
- Mcafee
- F-Secure
- Sophos
- Trendmicro
- Kaspersky
It gathers email addresses from the entries of the
default Windows Address Book (WAB). The path and filename of these are
identified in the following registry entry:
HKEY_CURRENT_USER\Software\Microsoft\
WAB\WAB4\Wab File Name = “<file and pathname of the
WAB file>
The worm also gathers a list of addresses from the
following files that are stored on the infected user’s
computer:
- EXE
- SCR
- PIF
- BAT
- TXT
- HTM
- HTML
- WAB
- DOC
- RTF
- XLS
- JPG
- CPP
- C
- PAS
- MPG
- MPEG
- BAK
- MP3
- PDF
This worm also infects EXE files. To infect, it encrypts
(compresses) the target file and then modifies the file extension with
a random name. It also modifies the attributes of the file and sets
these to Read-only, Hidden, System, and Archive. Thereafter, this worm
copies itself to the original filename of the infected file.
This worm makes sure that its filesize is the same as
that of the infected file. To do this, it pads garbage at the end of
the infected file.
Similar to WORM_KLEZ.A, this new worm has several
threads that accomplish its propagation and payload mechanisms. Its
main features are as follows.
- Dropping of PE_ELKERN.D
The worm drops a randomly named file in the ProgramFilesDir (usually
C:\Program Files). Approximately 10KB in size, this program can infect
files in network shared folders and disable system file protection. It
can also infect EXPLORER.EXE in memory. This program is detected as
PE_ELKERN.D. Oftentimes, it deletes itself after running.
- Network Infection
This worm is capable of spreading via shared drives/folders with
read/write access. To accomplish this, it enumerates all the shared
resources of the network. For shared folders with read/write access, it
copies itself to files with randomly generated filenames. The dropped
files have the following extensions:
- .EXE
- .PIF
- COM
- BAT
- SCR
- RAR
Occasionally, this worm copies itself to a
random filename double extensions. The first extension name can be any
of the following:
- EXE
- SCR
- PIF
- BAT
- TXT
- HTM
- HTML
- WAB
- DOC
- RTF
- XLS
- JPG
- CPP
- C
- PAS
- MPG
- MPEG
- BAK
- MP3
- PDF
The second extension can be any of the extension
names first listed.
It then constructs the HTML mail, which contains
the base64 encoded worm copy. It randomly generates the filename of the
attachment.
It obtains its SMTP server from the registry as
follows:
HKEY_LOCAL_MACHINE\Software\Microsoft
Internet Account Manager\Accounts\, SMTP Server
It then sends out to the SMTP server commands to
create and send an email. The actual subject and body of the email may
be randomly composed.
It does not require the email receiver to open
the attachment for it to execute. It uses a known vulnerability in
Internet Explorer-based email clients to execute the file attachment
automatically. This is also known as Automatic Execution of Embedded
MIME type.
The infected email contains the executable
attachment registered as content-type of audio/x-wav or sometimes
audio/x-midi so that when recipients view the infected email, the
default application associated with audio files is opened. This is
usually the Windows Media Player. The embedded EXE file cannot be
viewed in Microsoft Outlook.
More information about this vulnerability is
available at Microsoft’s
Security Bulletin.
- Antivirus Retaliation Procedure
The worm disables the running processes, and occasionally deletes the
executable files of programs associated with the following names of
antivirus products:
- _AVP32
- _AVPCC
- NOD32
- NPSSVC
- NRESQ32
- NSCHED32
- NSCHEDNT
- NSPLUGIN
- NAV
- NAVAPSVC
- NAVAPW32
- NAVLU32
- NAVRUNR
- NAVW32
- _AVPM
- ALERTSVC
- AMON
- AVP32
- AVPCC
- AVPM
- N32SCANW
- NAVWNT
- ANTIVIR
- AVPUPD
- AVGCTRL
- AVWIN95
- SCAN32
- VSHWIN32
- F-STOPW
- F-PROT95
- ACKWIN32
- VETTRAY
- VET95
- SWEEP95
- PCCWIN98
- IOMON98
- AVPTC
- AVE32
- AVCONSOL
- FP-WIN
- DVP95
- F-AGNT95
- CLAW95
- NVC95
- *SCAN* (any character can be in place of *)
- *VIRUS* (* is any character)
- LOCKDOWN2000
- Norton
- Mcafee
- Antivir
- TASKMGR
The worm also scans for the above strings, and
deletes them if found as values in the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
Finally, the worm searches for and then deletes
the following files:
- ANTI-VIR.DAT
- CHKLIST.DAT
- CHKLIST.MS
- CHKLIST.CPS
- CHKLIST.TAV
- IVB.NTZ
- SMARTCHK.MS
- SMARTCHK.CPS
- AVGQT.DAT
- AGUARD.DAT
How
to Clean/Delete the Klez Worm?
The Klez
worm should be cleaned from your system by using a virus removal tool
offered by Symantec. Click below to read about and download the Klez
virus removal tool.
http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.removal.tool.html
Because the
Klez virus often disables or corrupts antivirus software running on the
infected computer. You should reinstall your antivirus software after
cleaning the Klez virus from your system.
|
Tools for Removing Spyware, Adware, and Malware
PC HELL
Other Pages
Spyware/Adware Removal Help
MSBlast.exe Worm Removal
Welchia (Dllhost.exe and SVCHost.exe) Worm Removal
Uninstall McAfee Instructions
Uninstall Norton Instructions
Uninstall Avast Instructions
Uninstall AVG Instructions
Uninstall Antivir Instructions
Uninstall Panda Instructions
How to Manually Run the Microsoft Malicious Software Removal Tool
Bloodhound.Exploit.6 Virus Removal
MyDoom Virus Removal
MiMail.C Virus Removal
Swen Worm Virus Removal
SoBig.F Worm Removal
Dumaru Virus Removal
BugBear.B Worm Removal
SoBig.E Worm Removal
Pop Up Ad Removal Info
KAK Worm Removal
MiMail.A Worm Removal
W95.MTX Virus Removal
Snow White Virus Removal
BadTrans Trojan Removal
Wininit Virus (Bymer Trojan)
Happy99 Worm Removal
VBS Netlog Worm Removal
Pretty Park Worm Removal
Sasser Worm Virus Removal
Backdoor SDBot.H Trojan Removal
VBS.Loveletter Help
Computer Security Information
Back Orifice Information
PC HELL Main Page
iPadastic - News, Tutorials, Help, Tips, and Hints for the iPad
Download Hoyle Games including Casino 3D, Card, Board, and Solitaire games.
|