Threat behavior
When a copy of the Win32/Klez.E@mm worm is executed, it does the following:
adds value: Wink<random characters>
with data: <system>\<name of worm file>
in the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
ANTI-VIR.DAT
CHKLIST.DAT
CHKLIST.MS
CHKLIST.CPS
CHKLIST.TAV
IVB.NTZ
SMARTCHK.MS
SMARTCHK.CPS
AVGQT.DAT
AGUARD.DAT
Sircam
Nimda
CodeRed
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths
_AVP32
_AVPCC
NOD32
NPSSVC
NRESQ32
NSCHED32
NSCHEDNT
NSPLUGIN
NAVAPSVC
NAVAPW32
NAVLU32
NAVRUNR
NAVW32
_AVPM
ALERTSVC
AVP32
AVPCC
N32SCANW
NAVWNT
ANTIVIR
AVPUPD
AVGCTRL
AVWIN95
SCAN32
VSHWIN32
F-STOPW
F-PROT95
ACKWIN32
VETTRAY
VET95
SWEEP95
PCCWIN98
IOMON98
AVPTC
AVE32
AVCONSOL
FP-WIN
DVP95
F-AGNT95
CLAW95
NVC95
VIRUS
LOCKDOWN2000
Norton
Mcafee
Antivir
TASKMGR
.exe
.scr
.pif
.bat
.txt
.htm
.html
.wab
.doc
.xls
.jpg
.cpp
.pas
.mpg
.mpeg
.bak
.mp3
- Sends e-mail with the following characteristics:
Subject:
Where %s can be any one of the following:
-
funny
-
humour
-
excite
-
powful
-
WinXP
-
IE 6.0
-
W32.Elkern
-
W32.Klez.E
The return email address is spoofed with one of the following:
The body of the e-mail is randomly composed based on strings in the worm's code. One common message body seen masquerades as a cleaning tool:
-
Klez.E is the most common world-wide spreading worm.It's very dangerous by corrupting your files. Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it. We developed this free immunity tool to defeat the malicious virus. You only need to run this tool once,and then Klez will never come into your PC.
-
Attaches a randomly named copy of itself to the outgoing e-mail. The worm may also attach a random, legitimate file found on the system that has one of the following extensions:
.txt
.htm
.html
.wab
.doc
.xls
.jpg
.cpp
.pas
.mpg
.mpeg
.bak
.mp3
-
Exploits the vulnerability discussed in Microsoft Security Bulletin MS01-020. On systems that have not been patched for the vulnerability, the worm attachments may open when the user previews or reads the email.
-
Enumerates shared folders every 8 hours and copies or packs itself as a RAR compressed file to writeable folders, using random filenames and a .exe, .scr, .pif, or .bat file extension.
-
Drops and launches the Win32/Elkern.B virus to <system>\Wqk.dll.
-
Infects EXE files by saving the original file with the original file name and a random extension, then overwriting the original file with a copy of itself. Win32/Klez.E@mm avoids infecting the following files:
EXPLORER
CMMGR
msimn
icwconn
winzip
.txt
.htm
.html
.wab
.doc
.xls
.jpg
.cpp
.pas
.mpg
.mpeg
.bak
.mp3
Prevention
