Subscriptions | RSS Feeds | Discussions | Polls | Site Map




All Threats

Viruses

Hackers

Spam
Whole site    Viruses
  
Virus Encyclopedia
Riskware
Alerts
Analysis
News
Glossary
Weblog


Malware Environment
Malware Descriptions
Who Creates Malware
History of Malware
Malware Trends
If Your Computer Is Infected

 
Malware Description Search

 

  Home / Viruses / Virus Encyclopedia / Malware Descriptions / Network Worms / Email Worms

Email-Worm.Win32.Klez.a

Other versions: .e, .h

Aliases
Email-Worm.Win32.Klez.a (Kaspersky Lab) is also known as: I-Worm.Klez.a (Kaspersky Lab), W32/Klez.gen@MM (McAfee),   W32.Klez.A@mm (Symantec),   Win32.HLLM.Klez.57344 (Doctor Web),   W32/Klez-A (Sophos),   Win32/Klez.A@mm (RAV),   WORM_KLEZ.A (Trend Micro),   W32/Klez.A (H+BEDV),   W32/Klez.A@mm (FRISK),   Win32:Klez (ALWIL),   I-Worm/Klez.A (Grisoft),   Win32.Klez.A@mm (SOFTWIN),   Worm.Klez.E (ClamAV),   W32/Klez (Panda),   Win32/Klez.A (Eset)
Description added Oct 08 2002
Behavior Email Worm
Technical details
This is a worm-virus that spreads via the Internet attached to infected e-mails. The worm itself is a Windows PE EXE file about 57-65Kb (depending on its version) in length, and it is written in Microsoft Visual C++.

Infected messages have variable subjects and attachment names (see below). The worm uses an Internet Explorer security breach (IFRAME vulnerability) to start automatically when an infected message is viewed.

In addition to spreading in the local network and in e-mail messages, the worm also creates a Windows EXE file with a random name starting with "K" (i.e., KB180.exe), in a temporary folder, writes the "Win32.Klez" virus in it, and launches the virus. The virus infects the majority of Win32 PE EXE files on all available computer disks.

Start-up

When an infected file is started, the worm copies itself to a Windows system folder with the krn132.exe name. Then it writes to registry the following key to start automatically with Windows: 
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
 "Krn132" = "%System%\Krn132.exe"
where %System% is the name of the Windows system folder.

Then the virus searches for active applications (anti-viruses, see the list below) and forces them to unload using a Windows "TerminateProcess" command: 

_AVP32
_AVPCC
_AVPM
ALERTSVC
AMON
AVP32
AVPCC
AVPM
N32SCANW
NAVAPSVC
NAVAPW32
NAVLU32
NAVRUNR
NAVW32
NAVWNT
NOD32
NPSSVC
NRESQ32
NSCHED32
NSCHEDNT
NSPLUGIN
SCAN
SMSS

Replication: e-mail

The worm uses SMTP protocol to send e-mail messages. It finds e-mail addresses in a WAB database and sends infected messages to these addresses.

The subject of the infected message is selected randomly from the following list: 

 Hello
 How are you?
 Can you help me?
 We want peace
 Where will you go?
 Congratulations!!!
 Don't cry
 Look at the pretty
 Some advice on your shortcoming
 Free XXX Pictures
 A free hot porn site
 Why don't you reply to me?
 How about have dinner with me together?
 Never kiss a stranger
The message body is the following: 
 I'm sorry to do so,but it's helpless to say sory.
 I want a good job,I must support my parents.
 Now you have seen my technical capabilities.
 How much my year-salary now? NO more than $5,500.
 What do you think of this fact?
 Don't call my names,I have no hostility.
 Can you help me?
Attached file: Win32 PE EXE file with random name, which has either an ".exe" extension or a double extension: 
name.ext.exe
The worm selects the filename (name.ext) using an original routine. It scans all available drives and finds there files with the following file-name extensions: 
.txt .htm .doc .jpg .bmp .xls .cpp .html .mpg .mpeg
It uses one of the found filenames (name.ext) as the base name of an attachment, then it adds a second extension, ".exe". For example, "Ylhq.htm.exe", "If.xls.exe", etc.

The worm inserts its own "From:" field into infected messages. Depending on the random counter, it inserts there either a real e-mail address, or a fake randomly generated address.

An interesting feature of the worm is that before sending infected messages, the worm writes the list of found e-mail addresses in its EXE file.

All strings in the worm's body (messages and addresses) are stored in an encrypted state.

Replication: local and network drives

The worm enumerates all local drives and network resources with written access and makes there its copy with a random name name.ext.exe (the name-generation routine is similar to one which is used to generate attachment names). After copying itself to network resources, the worm registers its copies on remote computers as system service applications.

Payload

On the 13th of even months, the worm executes a payload routine, which fills all files on all available victim s'computer disks with random content. These files can't be recovered and must be restored from a backup copy.

Other versions

There are several modifications of this worm. I-Worm.Klez.a-d are similar, and have minor differences.

Klez.e-h are similar too, and have minor differences as well.

 

Copyright © 1996 - 2010
Kaspersky Lab
Industry-leading Antivirus Software
All rights reserved
 

Email: webmaster@viruslist.com