You're in: Panda Security > IT Security for Business > security-info > about-malware > encyclopedia > overview

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Elkern.C
Threat LevelDamageDistribution

At a glance Tech details Solution

Effects

Elkern.C is activated by simply viewing the message in Outlook's Preview Pane. In order to do this, it exploits a vulnerability in Internet Explorer (versions 5.01 and 5.05).

Elkern.C has the following effects:

It tries to disable the permanent protection of some antivirus programs.
It infects files with EXE and SCR extensions that are over 8 Kbytes in size. It infects all disk drives and the network drives that can be accessed from the affected computer.

Infection strategy

Elkern.C only infects computers with the operating system Windows 98 or Windows 2000 installed. The reason for this is that it uses a fixed address (only valid in these operating systems) in order to call a Windows API function.

Elkern.C has different infection routines, depending on the operating system installed in the computer:

Windows 98:

Elkern.C creates a file called WQK.EXE in the Windows system directory. This file has the following attributes: hidden, system and read-only.
It creates the following entry in the Windows Registry:

HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
WQK = %sysdir%\ wqk.exe
where %sysdir% is the Windows system directory.
By creating this entry, Elkern.C ensures that it is run whenever Windows is started.
Elkern.C cannot be seen in the Task list, as it is logged as a service process.

Windows 2000:

Elkern.C creates a file called WQK.DLL in the Windows system directory. This file has the following attributes: hidden, system and read-only.
It creates the following entry in the Windows Registry:

HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Windows
AppInit_DLLs = Wqk.dll
By modifying this entry, Elkern.C ensures it is run whenever Windows is started.

Elkern.C performs the following actions in both Windows 98 and Windows 2000 computers:

Elkern.C goes memory resident.
It infects the active processes and those that do not have the name \explorer.
It intercepts the functions DispatchMessageA and DispatchMessageW in order to infect the processes that are active when one of these functions is run.
It checks if a debugging tool is enabled. In order to do this, it uses a call to a Windows API function, IsDebuggerPresent.

Means of transmission

How does it get into computers?

Elkern.C reaches computers inside the Klez.I worm, as it cannot spread by itself. The e-mail message usually has one of the following subjects: A powful tool, Worm Klez.E immunity or A funny website.
As it is dropped by Klez.I, Elkern.C is automatically sent to all the contacts in the Address Book.

For more information about the e-mail message which contains Elkern.C, click here.

How is it activated?

Elkern.C activates when the message in which it is sent is viewed in Outlook's Preview Pane. It does this by exploiting a vulnerability in Internet Explorer, which allows e-mail attachments to be automatically run. This vulnerability exploit is known as Exploit/iFrame.
When the message carrying the Klez.I worm is opened.
When any file attached to the e-mail message carrying the Klez.I worm is opened or run.

How does it spread?

As Elkern.C is contained inside Klez.I, it is automatically sent to all of the contacts in the Address Book,via an SMTP connection.
In many cases, thanks to Klez.I, it modifies the address of the sender of the infected message, which makes it difficult to detect.

Further Details

Elkern.C is a polymorphic virus that is 4926 bytes in size.

Resources for Partners