Virus Encyclopedia
Welcome to the Virus Encyclopedia of Panda Security.
Klez.I | |
Threat Level Damage Distribution |
Effects
When Klez.I activates and carries out its infection, it has the following effects:
- It drops a virus called W32/Elkern.C in the affected computer.
- It selects a file at random from the infected computer and sends it out to third-parties. This file can have any of the following extensions: TXT, HTM, HTML, WAB, ASP, DOC, RTF, XLS, JPG, CPP, C, PAS, MPG, MPEG, BAK, MP3 and PDF.
- It looks for the following processes in memory and if it finds them, it ends them:
_AVP32, _AVPCC, NOD32, NPSSVC, NRESQ32, NSCHED32, NSCHEDNT, NSPLUGIN, NAV, NAVAPSVC, NAVAPW32, NAVLU32, NAVRUNR, NAVW32, _AVPM, ALERTSVC, AMON, AVP32, AVPCC, AVPM, N32SCANW, NAVWNT, ANTIVIR, AVPUPD, AVGCTRL, AVWIN95, SCAN32, VSHWIN32, F-STOPW, F-PROT95, ACKWIN32, VETTRAY, VET95, SWEEP95, PCCWIN98, IOMON98, AVPTC, AVE32, AVCONSOL, FP-WIN, DVP95, F-AGNT95, CLAW95, NVC95, SCAN, VIRUS, LOCKDOWN2000, Norton, Mcafee, Antivir, TASKMGR. - It disables the permanent protection of the antivirus program by deleting the following entry from the Windows Registry:
HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
Apvxdwin - Klez.I deletes the following files, which belong to antivirus programs and allow them to check the integrity of other files: ANTI-VIR.DAT, CHKLIST.DAT, CHKLIST.MS, CHKLIST.CPS, CHKLIST.TAV, IVB.NTZ, SMARTCHK.MS, SMARTCHK.CPS, AVGQT.DAT and AGUARD.DAT. APVXDWIN.EXE and AVENGINE.EXE in computers with Panda Antivirus installed.
Infection strategy
Klez.I creates the following files:
- WINK*.EXE in the Windows directory, which is a copy of the Klez.I worm.
- A file, which is 10,240 bytes in size, in the Program Files directory. It assigns it a random name (three letters and four numbers) and an EXE extension.
This file is detected by some antivirus programs as a virus called Elkern.C. This file has a PE format (Portable Executable) and is 4,500 Bytes in size.
Elkern.C looks for empty spaces in the files it wants to infect. When it finds empty spaces it fills them with its viral code without affecting the file size. This technique is known as cavity infection and makes this virus difficult to detect.
The Elkern.C virus infects files stored on all disk drives, from A: to Z:.
Klez.I creates the following entry in theWindows Registry:
- HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
Wink* = Wink*.exe
By creating this entry, Klez.I ensures that it is run whenever Windows is started.
Klez.I automatically carries out its infection in several ways:
- When the message carrying the worm is viewed in Outlook's Preview Pane . It does this by exploiting a vulnerability in Internet Explorer (versions 5.01 and 5.5).
- When the message carrying the worm is opened.
- When the file attached to the message is opened or run.
Means of transmission
Klez.I mainly uses e-mail to spread. It follows this routine:
- It reaches the computer in a message with variable characteristics:
Sender:
Klez.I spoofs the e-mail address from which it is sent. This may cause confusion. For further information, click here.
Version 1:
Subject:
A powful tool
Message:
This is a special powful tool
I expect you would enjoy it
Attachments: It contains two.
One of the files has one of the following extensions: PIF, BAT, EXE or SCR.
The other file is selected at random from the infected computer from which the e-mail is sent and has one of the following extensions: TXT, HTM, HTML, WAB, ASP, DOC, RTF, XLS, JPG, CPP, C, PAS, MPG, MPEG, BAK, MP3 or PDF.
Version 2:
Subject:
Worm Klez.E immunity
Message:
Klez.E is the most common world-wide spreading worm.It's very dangerous by corrupting your files.
Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it.
We developed this free immunity tool to defeat the malicious virus.
You only need to run this tool once,and then Klez will never come into your PC.
NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV monitor maybe cry when you run it.
If so,Ignore the warning,and select 'continue'.
If you have any question, please mail to me
Attachments: It contains two.
One has one of the following extensions: PIF, BAT, EXE or SCR.
The other file is selected at random from the infected computer from which the e-mail is sent and has one of the following extensions: TXT, HTM, HTML, WAB, ASP, DOC, RTF, XLS, JPG, CPP, C, PAS, MPG, MPEG, BAK, MP3 or PDF.
Version 3:
Most frequent subject:
A funny website
Other possible subjects:
!supportEmptyParas
How are you
Sito utilizza frames!!
Fw:introduction on ADSL
Look,my beautiful girl friend
Reset Display
205 MB of free hard disk space, but may
let's be friends
darling
so cool a flash,enjoy it
your password
honey
some questions
please try again
welcome to my hometown
the Garden of Eden
meeting notice
questionnaire
congratulations
sos!
japanese girl VS playboy
eager to see you
spice girls' vocal concert
japanese lass' sexy pictures
On some occasions, the subjects is constructed as follows:
Re: Fw: Undeliverable mail--"%s"
Returned mail--"%s"
a %s %s game
a %s %s tool
a %s %s website
a %s %s patch
%s removal tools
The symbol %s stands for a word chosen randomly from: new, funny, nice, humour, excite, good, powful, WinXP, IE 6.0, W32.Elkern, W32.Klez.E, Symantec, Mcafee, F-Secure, Sophos, Trendmicro, Kaspersky.
In some other cases, the subject consists of several phrases, where the symbol %s stands for one of the following words: enjoy, like, wish, hope or expect.
The following are some examples:
I %s you would %s it.
The following mail can't be sent to %s:
The attachment The file is the original mail give you the %s
is a %s dangerous virus that %s can infect on Win98/Me/2000/XP.
spread through email.
very special
http:// www. .com
For more information,please visit
This is
Christmas
New year
Saint Valentine's Day
Allhallowmas
April Fools'Day
Lady Day
Assumption
Candlemas
All Souls'Day
Epiphany
Happy
Have a
Message:
This is a funny website
I hope you would like it
Attachments: It contains two.
One has one of the following extensions: PIF, BAT, EXE or SCR.
The other file is selected at random from the infected computer from which the e-mail is sent and has one of the following extensions: TXT, HTM, HTML, WAB, ASP, DOC, RTF, XLS, JPG, CPP, C, PAS, MPG, MPEG, BAK, MP3 or PDF. - It activates when the message carrying it is open or viewed in Outlook's Preview Pane. It does this by exploiting a vulnerability in Internet Explorer (versions 5.01 and 5.5). Microsoft has already released the patch that fixes this problem.
- Klez.I sends itself out to all the contacts in the Address Book, using a SMTP connection.
Further Details
Klez.I is written in the programming language Visual C++ 6.0 and is 85 Kbytes in size.
>