Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Klez.F

 
Threat LevelHigh threatDamageSevereDistributionNot widespread

Effects 

When Klez.F activates and carries out its infection, it has the following effects:

  • It destroys files with the following extensions: BAK, C, CPP, DOC, HTM, HTML, JPG, MP3, MPG, PAS, TXT, WAB and XLS.
    It does this by overwriting the content of the files with ones and zeros. Klez.F performs this action on the 6th of the following months: March, May, September and November.
  • It drops a virus called Elkern.A in the affected computer.
  • It deletes the files of some antivirus programs.
  • It prevents the computer from starting up correctly.
    In order to do this, it renders some     VxD driversunusable by modifying the entry e32_restab (Offset of resident name table).

Infection strategy 

Klez.F automatically carries out its infection in the following ways:

  • When the message in which it is sent is viewed in Outlook’s Preview Pane. It does this by exploiting a known vulnerability in Internet Explorer (versions 5.01 and 5.5).
  • When the message carrying this worm is opened.
  • When the file attached to the message is opened or run.

The Klez.F infection process follows this routine:

Klez.F creates the following files:

  • WINKXXXX.EXE in the Windows system directory.
  • WINKXXXX.EXE in the Windows system directory. The X characters are assigned to the file name at random and represent any letter of the alphabet.
  • WQK.EXE in the Windows system directory. This file is the Elkern.A virus that Klez.F contains. It is 12,416 Bytes in size.
  • Klez.F also creates another file whose name is made up of eight random alphanumeric characters (XXXXXXXX.XXX).

Klez.F modifies the following entry in the Windows Registry:

  • HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
    Through this entry, the worm ensures that it is run every time the infected computer is started up.

Means of transmission 

Klez.F uses e-mail to spread and follows this routine:

  • It reaches computers hidden in e-mail messages which vary but whose most common subjects are: Don't drink too much, Your password, How are you or A funny website.
  • It activates when the message carrying the worm is opened or viewed in Outlook’s Preview Pane.
    In order to do this, it uses a vulnerability in Internet Explorer (versions 5.01 and 5.5).     Microsoft has already released the patch that fixes this problem.
  • It automatically sends itself to all the contacts in the Address Book.

Possible formats of the messages in which Klez.F is sent:

  • Most common subjects:
    Don't drink too much
    Hello, (name of the recipient),questionaire
    Your password
    How are you
    Japanese lass' sexy pictures
    Hi, (name of the recipient), congratulations
    Welcome to my hometown
    A funny website
  • It does not contain a message
  • Attachments: the names of these files vary but always have one of the following extensions: SCR, PIF, BAT or EXE.