Hello!

You’re about to visit our web page in English
Would you like to continue?

Yes, I want to visit the web page in English No, I want to visit the web page in

If this is not what you’re looking for,

Visit our Welcome Page!

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Klez.I

 
Threat LevelHigh threatDamageSevereDistributionNot widespread

Effects 

When Klez.I activates and carries out its infection, it has the following effects:

  • It drops a virus called W32/Elkern.C in the affected computer.
  • It selects a file at random from the infected computer and sends it out to third-parties. This file can have any of the following extensions: TXT, HTM, HTML, WAB, ASP, DOC, RTF, XLS, JPG, CPP, C, PAS, MPG, MPEG, BAK, MP3 and PDF.
  • It looks for the following processes in memory and if it finds them, it ends them:
    _AVP32, _AVPCC, NOD32, NPSSVC, NRESQ32, NSCHED32, NSCHEDNT, NSPLUGIN, NAV, NAVAPSVC, NAVAPW32, NAVLU32, NAVRUNR, NAVW32, _AVPM, ALERTSVC, AMON, AVP32, AVPCC, AVPM, N32SCANW, NAVWNT, ANTIVIR, AVPUPD, AVGCTRL, AVWIN95, SCAN32, VSHWIN32, F-STOPW, F-PROT95, ACKWIN32, VETTRAY, VET95, SWEEP95, PCCWIN98, IOMON98, AVPTC, AVE32, AVCONSOL, FP-WIN, DVP95, F-AGNT95, CLAW95, NVC95, SCAN, VIRUS, LOCKDOWN2000, Norton, Mcafee, Antivir, TASKMGR.
  • It disables the permanent protection of the antivirus program by deleting the following entry from the Windows Registry:
    HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
    Apvxdwin
  • Klez.I deletes the following files, which belong to antivirus programs and allow them to check the integrity of other files: ANTI-VIR.DAT, CHKLIST.DAT, CHKLIST.MS, CHKLIST.CPS, CHKLIST.TAV, IVB.NTZ, SMARTCHK.MS, SMARTCHK.CPS, AVGQT.DAT and AGUARD.DAT. APVXDWIN.EXE and AVENGINE.EXE in computers with Panda Antivirus installed.

Infection strategy 

Klez.I creates the following files:

  • WINK*.EXE in the Windows directory, which is a copy of the Klez.I worm.
  • A file, which is 10,240 bytes in size, in the Program Files directory. It assigns it a random name (three letters and four numbers) and an EXE extension.

    This file is detected by some antivirus programs as a virus called Elkern.C. This file has a PE format (Portable Executable) and is 4,500 Bytes in size.
    Elkern.C looks for empty spaces in the files it wants to infect. When it finds empty spaces it fills them with its viral code without affecting the file size. This technique is known as cavity infection and makes this virus difficult to detect.
    The Elkern.C virus infects files stored on all disk drives, from A: to Z:.

Klez.I creates the following entry in theWindows Registry:

  • HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
    Wink* = Wink*.exe
    By creating this entry, Klez.I ensures that it is run whenever Windows is started.

Klez.I automatically carries out its infection in several ways:

  • When the message carrying the worm is viewed in Outlook's Preview Pane . It does this by exploiting a vulnerability in Internet Explorer (versions 5.01 and 5.5).
  • When the message carrying the worm is opened.
  • When the file attached to the message is opened or run.

Means of transmission 

Klez.I mainly uses e-mail to spread. It follows this routine:

  • It reaches the computer in a message with variable characteristics:

    Sender:
    Klez.I spoofs the e-mail address from which it is sent. This may cause confusion. For further information, click here.

    Version 1:

    Subject:
    A powful tool

    Message:
    This is a special powful tool
    I expect you would enjoy it

    Attachments: It contains two.
    One of the files has one of the following extensions: PIF, BAT, EXE or SCR.
    The other file is selected at random from the infected computer from which the e-mail is sent and has one of the following extensions: TXT, HTM, HTML, WAB, ASP, DOC, RTF, XLS, JPG, CPP, C, PAS, MPG, MPEG, BAK, MP3 or PDF.


    Version 2:

    Subject:
    Worm Klez.E immunity

    Message:

    Klez.E is the most common world-wide spreading worm.It's very dangerous by corrupting your files.
    Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it.
    We developed this free immunity tool to defeat the malicious virus.
    You only need to run this tool once,and then Klez will never come into your PC.
    NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV monitor maybe cry when you run it.
    If so,Ignore the warning,and select 'continue'.
    If you have any question, please mail to me

    Attachments: It contains two.
    One has one of the following extensions: PIF, BAT, EXE or SCR.
    The other file is selected at random from the infected computer from which the e-mail is sent and has one of the following extensions: TXT, HTM, HTML, WAB, ASP, DOC, RTF, XLS, JPG, CPP, C, PAS, MPG, MPEG, BAK, MP3 or PDF.

    Version 3:

    Most frequent subject:
    A funny website
    Other possible subjects:
    !supportEmptyParas
    How are you
    Sito utilizza frames!!
    Fw:introduction on ADSL
    Look,my beautiful girl friend
    Reset Display
    205 MB of free hard disk space, but may
    let's be friends
    darling
    so cool a flash,enjoy it
    your password
    honey
    some questions
    please try again
    welcome to my hometown
    the Garden of Eden
    meeting notice
    questionnaire
    congratulations
    sos!
    japanese girl VS playboy
    eager to see you
    spice girls' vocal concert
    japanese lass' sexy pictures
    On some occasions, the subjects is constructed as follows:
    Re: Fw: Undeliverable mail--"%s"
    Returned mail--"%s"
    a %s %s game
    a %s %s tool
    a %s %s website
    a %s %s patch
    %s removal tools
    The symbol %s stands for a word chosen randomly from: new, funny, nice, humour, excite, good, powful, WinXP, IE 6.0, W32.Elkern, W32.Klez.E, Symantec, Mcafee, F-Secure, Sophos, Trendmicro, Kaspersky.
    In some other cases, the subject consists of several phrases, where the symbol %s stands for one of the following words: enjoy, like, wish, hope or expect.
    The following are some examples:
    I %s you would %s it.
    The following mail can't be sent to %s:
    The attachment The file is the original mail give you the %s
    is a %s dangerous virus that %s can infect on Win98/Me/2000/XP.
    spread through email.
    very special
    http:// www. .com
    For more information,please visit
    This is
    Christmas
    New year
    Saint Valentine's Day
    Allhallowmas
    April Fools'Day
    Lady Day
    Assumption
    Candlemas
    All Souls'Day
    Epiphany
    Happy
    Have a

    Message:
    This is a funny website
    I hope you would like it

    Attachments: It contains two.
    One has one of the following extensions: PIF, BAT, EXE or SCR.
    The other file is selected at random from the infected computer from which the e-mail is sent and has one of the following extensions: TXT, HTM, HTML, WAB, ASP, DOC, RTF, XLS, JPG, CPP, C, PAS, MPG, MPEG, BAK, MP3 or PDF.
  • It activates when the message carrying it is open or viewed in Outlook's Preview Pane. It does this by exploiting a vulnerability in Internet Explorer (versions 5.01 and 5.5). Microsoft has already released the patch that fixes this problem.
  • Klez.I sends itself out to all the contacts in the Address Book, using a SMTP connection.

Further Details  

Klez.I is written in the programming language Visual C++ 6.0 and is 85 Kbytes in size.

>

ARE YOU FACING ANY PC OR INTERNET RELATED PROBLEMS?
FREE SUPPORT INCLUDED. CALL US 24/7

powered by Anytech365

0203 769 3439

Hello!

You’re about to visit our web page in English
Would you like to continue?

Yes, I want to visit the web page in English No, I want to visit the web page in

If this is not what you’re looking for,

Visit our Welcome Page!