Klez.I
Threat LevelDamageDistribution

Effects 

When Klez.I activates and carries out its infection, it has the following effects:

• It drops a virus called W32/Elkern.C in the affected computer.
• It selects a file at random from the infected computer and sends it out to third-parties. This file can have any of the following extensions: TXT, HTM, HTML, WAB, ASP, DOC, RTF, XLS, JPG, CPP, C, PAS, MPG, MPEG, BAK, MP3 and PDF.
• It looks for the following processes in memory and if it finds them, it ends them:
  _AVP32, _AVPCC, NOD32, NPSSVC, NRESQ32, NSCHED32, NSCHEDNT, NSPLUGIN, NAV, NAVAPSVC, NAVAPW32, NAVLU32, NAVRUNR, NAVW32, _AVPM, ALERTSVC, AMON, AVP32, AVPCC, AVPM, N32SCANW, NAVWNT, ANTIVIR, AVPUPD, AVGCTRL, AVWIN95, SCAN32, VSHWIN32, F-STOPW, F-PROT95, ACKWIN32, VETTRAY, VET95, SWEEP95, PCCWIN98, IOMON98, AVPTC, AVE32, AVCONSOL, FP-WIN, DVP95, F-AGNT95, CLAW95, NVC95, SCAN, VIRUS, LOCKDOWN2000, Norton, Mcafee, Antivir, TASKMGR.
• It disables the permanent protection of the antivirus program by deleting the following entry from the Windows Registry:
  HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
  Apvxdwin
• Klez.I deletes the following files, which belong to antivirus programs and allow them to check the integrity of other files: ANTI-VIR.DAT, CHKLIST.DAT, CHKLIST.MS, CHKLIST.CPS, CHKLIST.TAV, IVB.NTZ, SMARTCHK.MS, SMARTCHK.CPS, AVGQT.DAT and AGUARD.DAT. APVXDWIN.EXE and AVENGINE.EXE in computers with Panda Antivirus installed.

Infection strategy 

Klez.I creates the following files:

• WINK*.EXE in the Windows directory, which is a copy of the Klez.I worm.
• A file, which is 10,240 bytes in size, in the Program Files directory. It assigns it a random name (three letters and four numbers) and an EXE extension.
  
  This file is detected by some antivirus programs as a virus called Elkern.C. This file has a PE format (Portable Executable) and is 4,500 Bytes in size.
  Elkern.C looks for empty spaces in the files it wants to infect. When it finds empty spaces it fills them with its viral code without affecting the file size. This technique is known as cavity infection and makes this virus difficult to detect.
  The Elkern.C virus infects files stored on all disk drives, from A: to Z:.

Klez.I creates the following entry in theWindows Registry:

• HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
  Wink* = Wink*.exe
  By creating this entry, Klez.I ensures that it is run whenever Windows is started.

Klez.I automatically carries out its infection in several ways:

• When the message carrying the worm is viewed in Outlook's Preview Pane . It does this by exploiting a vulnerability in Internet Explorer (versions 5.01 and 5.5).
• When the message carrying the worm is opened.
• When the file attached to the message is opened or run.

Means of transmission 

Klez.I mainly uses e-mail to spread. It follows this routine:

• It reaches the computer in a message with variable characteristics:
  
  Sender:
  Klez.I spoofs the e-mail address from which it is sent. This may cause confusion. For further information, click here.
  
  Version 1:
  
  Subject:
  A powful tool
  
  Message:
  This is a special powful tool
  I expect you would enjoy it
  
  Attachments: It contains two.
  One of the files has one of the following extensions: PIF, BAT, EXE or SCR.
  The other file is selected at random from the infected computer from which the e-mail is sent and has one of the following extensions: TXT, HTM, HTML, WAB, ASP, DOC, RTF, XLS, JPG, CPP, C, PAS, MPG, MPEG, BAK, MP3 or PDF.
  
  
  Version 2:
  
  Subject:
  Worm Klez.E immunity
  
  Message:
  
  Klez.E is the most common world-wide spreading worm.It's very dangerous by corrupting your files.
  Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it.
  We developed this free immunity tool to defeat the malicious virus.
  You only need to run this tool once,and then Klez will never come into your PC.
  NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV monitor maybe cry when you run it.
  If so,Ignore the warning,and select 'continue'.
  If you have any question, please mail to me <sender's address>
  
  Attachments: It contains two.
  One has one of the following extensions: PIF, BAT, EXE or SCR.
  The other file is selected at random from the infected computer from which the e-mail is sent and has one of the following extensions: TXT, HTM, HTML, WAB, ASP, DOC, RTF, XLS, JPG, CPP, C, PAS, MPG, MPEG, BAK, MP3 or PDF.
  
  Version 3:
  
  Most frequent subject:
  A funny website
  Other possible subjects:
  !supportEmptyParas
  How are you
  Sito utilizza frames!!
  Fw:introduction on ADSL
  Look,my beautiful girl friend
  Reset Display
  205 MB of free hard disk space, but may
  let's be friends
  darling
  so cool a flash,enjoy it
  your password
  honey
  some questions
  please try again
  welcome to my hometown
  the Garden of Eden
  meeting notice
  questionnaire
  congratulations
  sos!
  japanese girl VS playboy
  eager to see you
  spice girls' vocal concert
  japanese lass' sexy pictures
  On some occasions, the subjects is constructed as follows:
  Re: Fw: Undeliverable mail--"%s"
  Returned mail--"%s"
  a %s %s game
  a %s %s tool
  a %s %s website
  a %s %s patch
  %s removal tools
  The symbol %s stands for a word chosen randomly from: new, funny, nice, humour, excite, good, powful, WinXP, IE 6.0, W32.Elkern, W32.Klez.E, Symantec, Mcafee, F-Secure, Sophos, Trendmicro, Kaspersky.
  In some other cases, the subject consists of several phrases, where the symbol %s stands for one of the following words: enjoy, like, wish, hope or expect.
  The following are some examples:
  I %s you would %s it.
  The following mail can't be sent to %s:
  The attachment The file is the original mail give you the %s
  is a %s dangerous virus that %s can infect on Win98/Me/2000/XP.
  spread through email.
  very special
  http:// www. .com
  For more information,please visit
  This is
  Christmas
  New year
  Saint Valentine's Day
  Allhallowmas
  April Fools'Day
  Lady Day
  Assumption
  Candlemas
  All Souls'Day
  Epiphany
  Happy
  Have a
  
  Message:
  This is a funny website
  I hope you would like it
  
  Attachments: It contains two.
  One has one of the following extensions: PIF, BAT, EXE or SCR.
  The other file is selected at random from the infected computer from which the e-mail is sent and has one of the following extensions: TXT, HTM, HTML, WAB, ASP, DOC, RTF, XLS, JPG, CPP, C, PAS, MPG, MPEG, BAK, MP3 or PDF.
• It activates when the message carrying it is open or viewed in Outlook's Preview Pane. It does this by exploiting a vulnerability in Internet Explorer (versions 5.01 and 5.5). Microsoft has already released the patch that fixes this problem.
• Klez.I sends itself out to all the contacts in the Address Book, using a SMTP connection.

Further Details  

Klez.I is written in the programming language Visual C++ 6.0 and is 85 Kbytes in size.