W32/Klez.E@mm
Threat risk
|
Detection files published:
18. Jan 2002 |
Description created:
2002-01-17 |
Description updated:
2003-02-27 |
|
Alias:
W32/Klez.F, I-Worm.Klez.E, Stemdil |
Spreading mechanism
Email, File Infection, Network | |
|
Payload:
Corrupts files. Disables antivirus software. | ||
Summary
This is a variant in the Klez worm family, which has also been expanded with basic file-infecting capabilities.
It carries with it a file infecting virus, W32/Elkern.B.
Spreading description
Email characteristics:
Subject: Variable
Body: Variable
Attachment: Variable
When the worm is first executed, it copies itself to the Windows System directory using a semi-random name WINK????.EXE and creates a registry key to point to itself so it is loaded during startup.
At this time it also writes a file called WQK.EXE (on Win98) or WQK.DLL (on Win 2000) which is located in the Windows System directory. This file is another file infecting virus, W32/ElKern.B.
The worm attempts to send itself to addresses picked from the Windows Address book and other sources.
The email subject and body texts are composed out of a number of strings and are variable.
The attachment file name is also semi-random, the extension is either PIF, EXE, SCR or BAT.
When the worm spreads via email the user(s) may be infected by only previewing or opening the mail in Outlook/Outlook Express. This is accomplished using a known security hole "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment".
Information and patch is available from: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp
The security hole is a known issue with Internet Explorer versions 5.01 and 5.5 without SP2 . Users who have this configuration should apply the available patch.
The worm also spreads over network shares. It copies itself over to remote machines in two turns - once as a regular worm file, once as a small RAR archive containing the worm.
As if this was not enough, the worm has also now basic file-infecting capabilities. It prepends itself to executables that it finds on the user's hard disk.
Threat description
The worm scans for and kills a number of known antivirus utilities in memory, among them the previous version of Norman Virus Control. It does not directly affect NVC version 5 or later. However, it does also kill and delete any process that opens an infected file, and this may of course interfere with the operation of any antivirus software.The worm may corrupt other important files. In our tests on Win98, the important system file VMM32.VXD was destroyed.
There is also a date-triggered payload where files of a number of different document formats are overwritten on the 6th of odd numbered months.
Removal
General information about removal of malicious software
Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.
| Utilisation | Titre | Commentaire |
|---|---|---|
| Stopper la propagation des virus sur les partages réseau | ||
| Cleaning of back-up folders on Windows Me and XP |
