Proactive IT Security
 

W32/Klez.H@mm

Threat risk

Threat risk low
Detection files published:
17 Apr 2002
Description created:
2002-04-17
Description updated:
2003-02-27
Malware type:
Worm
Alias:
W32.Klez.G
Spreading mechanism
Network
Payload:
Removes antivirus programs

Summary

General comments

This is a new email worm in the Klez series. It is in many ways similar to the previous variants, but some destructivity has been removed.

The worm spreads over email using email addresses picked from several sources on the infected computer - web pages, Windows address book, and ICQ contact lists. Note that it will also use a random address as sender, so the one who appears to be the sender does not neccessarily have to be the real sender. The email is formatted in such a way that the worm may get executed without the user having to click on any attachment.

The worm makes copies of itself on the local machine and on network shares in both a plain executable form and in an archive with a *.RAR extension.
 

Spreading description

Email characteristics:

Subject: Variable
Body: Variable

Attachment: Variable

When the worm is started it will copy itself to the System directory using a name "Wink*.exe" where the asterisk denotes a random combination of letters. It will add an entry in the Registry so that it is loaded from startup.

On Win9x/ME:

HLKMSoftwareMicrosoftWindowsCurrentVersionRunWink* = %SystemDir%Wink*.exe

On Win NT/2000/XP:

HKLMSystemCurrentControlsetServicesWink* = %SystemDir%Wink*.exe

The worm will set up many concurrent threads which perform different tasks.

Thread one:

This thread will go through running processes and look whether they contain certain words (Ref WL01) within the first 512k of the process' own memory space. If any of these words are found, the process will be attempted killed, and the accompanying program file will be deleted (provided it does not reside in the dllcache directory).

Note that the fact that the word list contains virus names will not always affect the viruses in question since some of them do not contain their own name - but it will certainly affect antivirus programs and fixup tools. Viruses may be affected if they contain the word "virus" though, and other programs may be accidentally killed if they should happen to encompass random memory data containing any of these words.

In addition, it will check if file names belonging to running processes contain words from another word list (Ref WL02). If so, these programs will be killed/deleted in the same way as described over.

The registry keys
HLKMSoftwareMicrosoftWindowsCurrentVersionRun and
HLKMSoftwareMicrosoftWindowsCurrentVersionRunServices are checked for the precence of antivirus programs in the WL02 list. If so, they are removed from registry.

On Win9x/ME this thread also continuously refreshes the worm's own Run key in the Registry.

Thread two:

This is the mailsending thread. It will once a minute check whether the computer is connected to the Internet. If it is, it will scan the Windows Address Book, ICQ databases (if present) and .txt, .htm and .html files on local drives for email addresses. It will attempt to use the locally defined default mail server to transmit mail, or, if that does not respond, it will attempt to guess at possible mail servers by adding 'smtp.' to domain names it finds in mail addresses.
If this guessed mail server works, the worm will preserve the email address it used as basis for the mail server address in an internal list. If the guessed mail server does not work either, it will look into this internal list and attempt to use up to six random servers stored from previous connects.

If none of these work either, it has a hard-coded list of known mail servers it will attempt to use. (WL22).

The mails are composed semi-randomly, based on a set of word lists and conditions:

Subject:& lt;optional WL 14& gt;& lt;WL08& gt;
Body text: none

E.g.
 

Subject:FW:some questions

or
 

Subject: A & lt;WL18& gt;& lt;WL06& gt;& lt;WL15& gt;
Body text:& lt;optional WL14& gt;This is a & lt;optional WL18& gt;& lt;WL06& gt;& lt;WL15& gt;
I & lt;WL20& gt; you would & lt;WL19& gt; it.

E.g.
 

Subject: A very new website
Body text:
Hello,This is a special new website
I hope you would enjoy it.

or
 

Subject: & lt;WL07& gt; removal tools
Body text:
& lt;WL07& gt; is a & lt;WL18& gt;dangerous virus that & lt;WL21& gt;
& lt;WL09& gt;give you the & lt;WL07& gt; removal tools
For more information,please visit http://www.& lt;WL09& gt;.com

E.g.
 

Subject: W32.Klez.E removal tools
Body text:
W32.Klez.E is a dangerous virus that spread through email.
F-Secure give you the W32.Klez.E removal tools
For more information,please visit http://www.F-Secure.com

or
 

Subject: Worm Klez.E immunity
Body text:
Klez.E is the most common world-wide spreading worm.It's very dangerous by corrupting your files.
Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it.
We developed this free immunity tool to defeat the malicious virus.
You only need to run this tool once,and then Klez will never come into your PC.
NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV monitor maybe cry when you run it.
If so,Ignore the warning,and select 'continue'
If you have any question,please mail to me (link to email address)

or
 

Subject: & lt;WL12& gt;& lt;WL08& gt;
Body text:
The following mail can’t be sent to & lt;random address& gt;
From: & lt;email address& gt;
To: & lt;random address& gt;
Subject: & lt;WL08& gt;
& lt;WL13& gt; is the original mail

The emails of this type will appear to come from 'postmaster'.

or
 

Subject: A random set of words and/or letters found in local files
Body text: none

or
 

No subject or body text.

There is a chance that the worm will check the date and compose a date-related mail, if the date is within a a specific range from certain dates. Such emails will have the following format on the subject field:

Subject: & lt;WL11& gt; & lt;optional WL06& gt; & lt;WL10& gt;
Body text: none

E.g.
Subject: Have a nice April Fools' Day
 

The viral attachment will be named randomly based on file names or contents of files the worm has found, or just a random combination of letters. The file extension will be either .exe, .pif, .scr or .bat. In many cases the file names will have double extension - in those cases the second last extension will be found in the word list WL03.

In addition, the email has a chance of containing another file attachment of one of the file types found in word list WL03. This is a random file the worm has found on the disk, and may contain private or confidential information. If the file size is 51200 bytes or less, the chance is 50% that it will be included, if the file size is between 51200 and 512000 bytes, the chance is 25% that it will be included. Bigger files are not included.

Please note that the email address used for sender is filled in by the worm based on addresses it finds in local files and will often not reflect the real sender.

When the virus spreads via email, the user(s) may be infected with only reading or previewing the mail. This is accomplished using a known security hole "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment".
Information and patch is available from: Microsoft's security Bulletin 20/2001

The security hole is a known issue with Internet Explorer versions 5.01 and 5.5 without SP2. Users who have this configuration should apply the available patch.

Thread three:

This thread will once every two hours attempt to open and enumerate remote resources, and if the resource is a disk, the worm will copy itself over to the remote machine.

On WinNT/2000/XP-based machines it will attempt to install the remote copy of itself as a service on the remote machine. It will also attempt to install itself in the Registry database of the remote machine, under the HKLMSoftwareMicrosoftWindowsCurrentversionRunOnce key. This has the effect that the worm is loaded during bootup.

In addition, the worm copies over a copy of itself stored inside a RAR archive. The file name inside the archive will be composed of strings from the WL16 and WL04 word lists - f.ex. snoopy.exe or install.pif.

Thread four:

This is the file-infecting thread. Klez will every hour look for programs mentioned in the 'App Paths' key in Registry, and attempt to infect them if they fulfill certain criteria. The infection is so-called companion style - the original file is copied to a hidden file with the same main file name, but with a random extension. Klez will take its place, using the same name and even preserving the file size and resource information of the original so that no obvious change will be noticeable. In addition to being moved to a different file name, the original program is also compressed so that it cannot be run even if renamed back to the original program name.

A program is eligible for infection if it is not protected by the System File Checker in Win2000 or XP, if the file name does not contain any of the names mentioned in the word list WL05, and if the file is between 86016 and 3145728 bytes long.

When such an infected program is run, the worm finds and extracts the original file, and executes it. The file is extracted to a file using the full path name of the infected file, just removing the backslashes and periods, and finally appending a '.EXE'. E.g. if the infected program is called C:SetupSetup.exe, and the compressed original is called C:SetupSetup.gfr, the worm will extract the original program to a file called 'csetupsetupgfr.exe' and execute it. It will not be particularly noticeable that the program that was run was actually infected.

Thread five:

This thread will create a file with a random name in the Program Files directory, and execute it. This file is 10240 bytes long and installs the W32/ElKern.C virus.

Thread six:

This thread will look for and delete antiviral checksum databases (WL17) in the Internet Explorer cache directories.

Thread seven to thirtytwo:

Thread seven to thirtytwo look for and delete antiviral checksum databases (WL17) on all locally mapped drives A: to Z:

 

Threat description

The worm actively attacks and deletes antivirus programs - and sometimes accidentally deletes other innocent programs as well.

Removal

General information about removal of malicious software

Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.

Usage Title Comment
  Stopping network share infectors  
  Cleaning of back-up folders on Windows Me and XP  
Print page