VIRUS ALERT---“W32KLEZ” Worm---Info on detection, prevention, removal
April 2002

Copied below are some excerpts on the KLEZ worm variants from the McAfee and Symantec web sites. Be sure to check out the Symantec and McAffee sites for full details, and removal info. Also look over our anti-virus page. Links to Microsoft's tech pages, patches, & updates are below, including a link which addresses the "exploit vulnerability" flaw in IE which may affect the rendering of html email messages in Outlook and Outlook Express.

From the Symantec Security Response site:
"W32.KLEZ.GEN —"Due to an increased number of submissions, this threat has been upgraded to Category 4. W32.Klez.gen@mm is a generic detection that detects variants of W32.Klez. Computers that are infected with W32.Klez.gen@mm are most likely infected with either W32.Klez.E@mm or W32.Klez.H@mm. Please refer to the appropriate write-ups for more information." . . . "W32.Klez.gen@mm is a mass-mailing worm that searches the Windows address book for email addresses and sends messages to all recipients that it finds. The worm uses its own SMTP engine to send the messages." . . ."The subject and attachment name of incoming emails is randomly chosen. The attachment will have one of the following extensions: .bat, .exe, .pif or .scr. The worm exploits a vulnerability in Microsoft Outlook and Outlook Express in an attempt to execute itself when you open or even preview the message." . . . "W32.Klez.gen@mm attempts to copy itself to all network shared drives that it finds. Depending on which variant of the worm, the worm will drop one of the following viruses: W32.Elkern.3326, W32.Elkern.3587, W32.Elkern.4926 which will then infect the system."

Symantec on W32.KLEZ.H—"W32.Klez.H@mm is a modified variant of the worm W32.Klez.E@mm. This variant is capable of spreading by email and network shares. It is also capable of infecting files." . . . "Payload: This worm infects executables by creating a hidden copy of the original host file and then overwriting the original file with itself. The hidden copy is encrypted, but contains no viral data. The name of the hidden file is the same as the original file, but with a random extension.

  • Large scale e-mailing: This worm searches the Windows address book, the ICQ database, and local files for email addresses. The worm sends an email message to these addresses with itself as an attachment.
  • Releases confidential info: Worm randomly chooses a file from the machine to send along with the worm to recipients. So files with the extensions: ".mp8" or ".txt" or ".htm" or ".html" or ".wab" or ".asp" or ".doc" or ".rtf" or ".xls" or ".jpg" or ".cpp" or ".pas" or ".mpg" or ".mpeg" or ".bak" or ".mp3" or ".pdf" would be attached to e-mail messages along with the viral attachment. "

"This worm searches the Windows address book, the ICQ database, and local files for email addresses. The worm sends an email message to these addresses with itself as an attachment. The worm contains its own SMTP engine and attempts to guess at available SMTP servers. The subject line, message bodies, and attachment file names are random. The From address is randomly-chosen from email addresses that the worm finds on the infected computer." . . . "If the message is opened in an unpatched version of Microsoft Outlook or Outlook Express, the attachment may be automatically executed."

McAfee on W32/KLEZ.H—"This virus can be considered a blended threat. It mass-mails itself to email addresses found on the local system, exploits a Microsoft vulnerability, spreads via network shares, infects executables on the local system, and drops an additional file infecting virus" . . . "The worm mails itself to email addresses in the Windows Address Book, plus addresses extracted from files on the victim machine. It arrives in an email message whose subject and body is composed from a pool of strings carried within the virus (the virus can also add other strings obtained from the local machine)." . . . "The file attachment name is again generated randomly, and ends with a .exe, .scr, .pif, or .bat extension, . . .""W32/Klez.h@MM masquerades as a free immunity tool in at least one of the messages used...Subject: Worm Klez.E Immunity "

McAfee on W32/Klez.e—". . . The worm interferes with running programs and frequently displays a fake error message: 'There is not eough memory to start __PROGRAM_NAME__.EXE. Quit some programs, and then try again.'Note - the name displayed is random but is always an EXE." . . ."W32/Klez.e@MM worm overwrites files and they are padded with zeroes to the original uninfected host size. The worm saves original contents of the hosts in files with the same name and random extension. These files are "Hidden" and "System" (to be able to see them you need to change "View/Folder Options" in Windows Explorer by selecting "Show all files")." . . . Running infected files causes the worm to reconstruct the uninfected host file using saved data. Such reconstructed files will have "~1" appended to the name (ex., infected MSOFFICE.EXE will be accompanied by an uninfected MSOFFI~1.EXE). The worm deletes them as soon as the program stops running so they exist only temporarily." . . . "W32/Klez.e@MM sends itself out using SMTP protocol. It harvests the Windows address book for email addresses. "

Symantec on W32.KLEZ.E —"W32.Klez.E@mm is similar to W32.Klez.A@mm. It is a mass-mailing email worm that also attempts to copy itself to network shares. The worm uses random subject lines, message bodies, and attachment file names. The worm exploits a vulnerability in Microsoft Outlook and Outlook Express in an attempt to execute itself when you open or even preview the message in which it is contained." . . . "The worm overwrites files and creates hidden copies of the originals. In addition, the worm drops the virus. . . W32.Elkern.3587, which is similar to W32.ElKern.3326." . . . "The worm attempts to disable some common antivirus products and has a payload which fills files with all zeroes."

McAfee:

Symantec:

Microsoft:

 

top


Send comments