|
Details:
Arrival and Installation
This variant of the Klez family arrives as an email attachment that automatically runs when viewed or previewed in Microsoft Outlook or Outlook Express on machines with unpatched versions of Microsoft Internet Explorer. The details of the email it arrives with are described in the succeeding sections.
Upon execution, this worm drops a copy of itself as WINK*.EXE in the Windows System folder.
(Where * is a randomly generated variable length string composed of alphabetical characters. For example, it may drop the copy as WINKABC.EXE)
It may also drop a copy of itself as %X%Y.EXE in the Windows Temp folder.
(Where %X is a randomly generated variable length string composed of alphabetical characters and %Y is a randomly generated variable length string composed of numeric characters. For example, it may drop the copy as ABC123.EXE)
Autorun Techniques
This worm creates the following registry entry so that it executes at every Windows startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
Wink*
(Where * is a randomly generated variable length string composed of alphabetical characters.)
It registers itself as a process so that it is invisible on the Windows Taskbar.
On Windows 2000 and XP, it sets itself as a service by creating the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
Wink*
(Where * is a randomly generated variable length string composed of alphabetical characters .)
Dropping of PE_ELKERN.D
This worm drops another file with the random name, %X%Y.EXE, in the Program Files folder and spawns it as another process. The file is a copy of the file infector detected as PE_ELKERN.D.
(Where %X is a randomly generated variable length string composed of alphabetical characters and %Y is a randomly generated variable length string composed of numeric characters. For example, it may drop the copy as XYZ789.EXE)
Companion-Type Infection
This worm modifies .EXE files by encrypting them using a Run-Length compression algorithm. It renames the encrypted file to:
(Where <Filename> is the original filename and <Extension> is a randomly generated three-letter string.)
The encrypted file is set as Read-Only, Hidden, System, and Archive.
This worm then copies itself into the same folder and assumes the original file name, icon, and file size of the modified file. As a consequence, users may not notice the infection.
When the worm copy is executed, it decrypts the host program in the companion file then spawns it as another process.
Network Propagation
This worm copies itself into shared network drives either as an executable or inside a RAR archive. The file name of the dropped files have the following formats:
- <filename>.%ext1%.%ext2%
- <filename>.RAR
(Where <filename> is a string taken from the name of an actual file or folder on the infected system.)
%ext1% is chosen from the following list:
- asp
- bak
- c
- cpp
- doc
- htm
- html
- jpg
- mp3
- mpeg
- mpg
- pas
- pdf
- rtf
- txt
- wab
- xls
%ext2% is chosen from the following list if the file is an executable file:
The extension is simply RAR, as shown in the second format, if it is a RAR archive. In this case, the file inside the archive has the following name format:
<filename> is chosen from the following:
- demo
- install
- kitty
- picacu
- play
- rock
- setup
- snoopy
%ext% is chosen from the following:
Email Propagation
This worm uses its own SMTP engine to send email. It obtains its recipients from the following sources:
- Windows Address Books
- ICQ data files
- Files found on the host machine
It obtains the user SMTP server by reading the following registry key:
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\
It uses the server to send email.
If the user SMTP server is unavailable, it attempts to use the following SMTP servers:
- smtp.wb-japan.co.jp
- smtp.verizon.net
- smtp.arquired.es
- smtp.difac.com
This worm sends email with the following details:
Sender
It spoofs the sender email, taking it from gathered email addresses.
Subject and Message Body
Option1: No Subject. No Mail Body.
Option 2: Subject chosen from the following. No Mail Body.
- congratulations
- darling
- eager to see you
- honey
- how are you
- introduction on ADSL
- japanese girl VS playboy
- japanese lass sexy pictures
- let's be friends
- look,my beautiful girl friend
- meeting notice
- please try again
- questionnaire
- so cool a flash,enjoy it
- some questions
- sos!
- spice girls vocal concert
- the Garden of Eden
- welcome to my hometown
- your password
Could be preceeded by any of the following:
- Hi,<username>,
- Hello,<username>,
- Re:
- Fw:
Option 3:
Subject is in the format:
a %string1% %string2% game
%string1% is chosen from the following:
%string2% is chosen from the following:
- <none>
- new
- funny
- nice
- humour
- excite
- good
- powful
Message body:
A %string1% %string2% game
This is a %string1% %string2% game
This game is my first work.
You're the first player.
I expect you would enjoy it.
Option 4:
Subject: %string1% removal tools
%string1% can be any of the following:
Message body:
%string2% give you the %string1% removal tools
%string1% is a dangerous virus that can infect on Win98/Me/2000/XP.
For more information,please visit http://www.%string2%.com
Where % string2% can be any of the following:
- Symantec
- Mcafee
- F-Secure
- Sophos
- Trendmicro
- Kaspersky
Option 5:
Subject can be any of the following:
- Undeliverable mail--"<random string>"
- 'Returned mail--"<random string>"
Message Body:
The following mail can't be sent to <spoofed email>
From: <spoofed email>
To: <spoofed email>
Subject: <random string>
The file is the original mail
Option 6:
Subject: Worm Klez.E immunity
Message Body:
Klez.E is the most common world-wide spreading worm.It's very dangerous by corrupting your files.
Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it.
We developed this free immunity tool to defeat the malicious virus.
You only need to run this tool once,and then Klez will never come into your PC.
NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV monitor maybe cry when you run it.
If so,Ignore the warning,and select 'continue'.
If you have any question,please mail to me.
Option 7:
Subject: %string1% %string2%
%string1% can be any of the following:
%string2% can be any of the following:
- All Souls Day
- Allhallowmas
- April Fools Day
- Assumption
- Candlemas
- Christmas
- Epiphany
- Lady Day
- New year
- Saint Valentine's Day
Message body: <Random text>
Option 8:
Subject: Could be any of the following:
- a %s %s tool
- a %s %s patch
Where %s can be any of the following:
- excite
- funny
- good
- humour
- IE 6.0
- new nice
- powful
- W32.Elkern
- W32.Klez.E
- WinXP
Message body: Random text
Option 9:
Subject: a %string1% %string2% website
Where %string1% is chosen from the following:
%string2% is chosen from the following:
- <none>
- new
- funny
- nice
- humour
- excite
- good
- powful
Message body:
This is <subject>
I %string2% you would %string3% it.
Where %string2% can be any of the following:
Where %string3% can be any of the following:
Option 10:
Subject: Chosen from existing files and folder names.
Message body: <none>
Email Exploit
The email message sent by this worm uses a known vulnerability in Internet Explorer-based email clients that causes the file attachment to execute automatically. The exploit is known as the Automatic Execution of Embedded MIME type.
The infected email contains the executable attachment registered as content-type of audio/x-wav or sometimes audio/x-midi, so that when recipients view the infected email, the default application associated with audio files is opened. This is usually the Windows Media Player. The embedded EXE file cannot be viewed in Microsoft Outlook.
More information on this vulnerability is available at the Microsoft Security Bulletin Incorrect MIME Header Can Cause IE to Execute E-mail Attachment.
Antivirus Retaliation
The worm terminates the following processes, which are mostly antivirus programs:
- _AVPCC
- _AVPM
- ACKWIN32
- ALERTSVC
- AMON
- ANTIVIR
- Antivir
- AVCONSOL
- AVE32
- AVGCTRL
- AVP32
- AVPCC
- AVPM
- AVPTC
- AVPUPD
- AVWIN95
- CLAW95
- DVP95
- F-AGNT95
- F-PROT95
- FP-WIN
- F-STOPW
- IOMON98
- LOCKDOWN2000
- Mcafee
- N32SCANW
- NAV
- NAVAPSVC
- NAVAPW32
- NAVLU32
- NAVRUNR
- NAVW32
- NAVWNT
- NOD32
- Norton
- NPSSVC
- NRESQ32
- NSCHED32
- NSCHEDNT
- NSPLUGIN
- NVC95
- PCCWIN98
- SCAN
- SCAN32
- SWEEP95
- TASKMGR
- VET95
- VETTRAY
- VIRUS
- VSHWIN32
On certain occasions, it deletes the files associated with terminated processes.
This worm also searches the following registry key for entries with strings that match the described process list:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
It deletes registry entries with matching strings.
It also deletes the following files, which belong to antivirus programs:
- ANTI-VIR.DAT
- CHKLIST.CPS
- CHKLIST.DAT
- CHKLIST.MS
- CHKLIST.TAV
- IVB.NTZ
- SMARTCHK.MS
Other Details
This worm's body contains the following text strings when decrypted:
Win32 Klez V2.01 & Win32 Foroux V1.0
Copyright 2002,made in Asia
About Klez V2.01:
1,Main mission is to release the new baby PE virus,Win32 Foroux
2,No significant change.No bug fixed.No any payload.
About Win32 Foroux (plz keep the name,thanx)
1,Full compatible Win32 PE virus on Win9X/2K/NT/XP
2,With very interesting feature.Check it!
3,No any payload.No any optimization
4,Not bug free,because of a hurry work.No more than three weeks from having such idea to accomplishing coding and testing
Damaged Samples
Trend Micro detects misinfections and damaged, corrupted, and truncated samples of this worm as WORM_KLEZ.DAM. These files do not function properly and cannot execute.
Analysis by: Daniel BiadoRevision History:
For additional information about this threat, see:
Overview
Solution
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
