Worm:W32/Klez

On some systems the worm is able to self-launch itself when an infected email is viewed (for example, with Outlook and IE 5.0 or 5.01). To do this the worm uses a known vulnerability in IE that allows execution of an email attachment. This vulnerability is fixed and a patch for it is available on Microsoft site: http://www.microsoft.com/windows/ie/downloads/critical/q323759ie/default.asp

This worm/virus combo apparently originated from Asia, possibly China or Hong Kong. First infections were located early on the morning of 26th of October, 2001.

Propagation (email)

The emails sent by Klez can have a wide variety of different subject fields such as:

Subject:

• Hi
• Hello
• How are you?
• Can you help me?
• We want peace
• Where will you go?
• Congratulations!!!
• Don't cry
• Look at the pretty
• Some advice on your shortcoming
• Free XXX Pictures
• A free hot porn site
• Why don't you reply to me?
• How about have dinner with me together?
• Never kiss a stranger

The message has no text in body and the attachment name is random.

The worm part contains a hidden message targeted towards anti-virus researchers. Most email clients will not show this message. It looks like this:

The Klez worm copies itself to root directories of local and network drives with a random name and with double extension, such as .TXT.EXE.

Variants

Variant:Klez.D

Klez.D appeared in the wild on 11th of November, 2001. This variant has a few changes compared to the previous versions. First of all it looks for email addresses in the user's ICQ database files also. This means that anyone in the user's ICQ contact list is a potential recipient of the worm.

Another change in the email part is that the attachments can now have .EXE and .PIF extension also. It was only .EXE with the previous versions. When the worm is copied to the Windows system directory it's nownamed as 'WinSvc.exe'. The same name is used in the registry run key:

• 'HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WinSvc'

This version of the worm will try to locate and terminate processes that contain the words like 'Nimda', 'CodeRed', 'Code Red', 'CodeBlue', 'Code Blue'.

It also has a string inside that is never displayed:

• 'I will try my best to kill some virus'

F-Secure Anti-Virus detects and stops both Klez and Elkern. Detection was added with the update shipped on 26th of October around 15 o'clock GMT. The update with detection for D variant was published on 12th of November 09:00GMT.

Variant:Klez.E

Klez.E is a new variant of Klez worm that was first discovered on 17th of January 2002. The worm is "version 2.0" according to its author's classification and has several new features comparing to the older variants. The worm still has bugs that remained from previous versions.

The differences from the original version are as follows:

• The worm installs itself to Windows System directory as WINKxxxx.EXE file. The 'xxxx' can be 2-3 random letters. The worm creates an autostarting key for its file in System Registry.
• The worm now has file infection capabilities. When infecting an EXE file, the worm overwrites it and creates a backup file with the same name as the infected file, but with a random extension with hidden, system and read-only attributes. When the infected file is run, the worm extracts the original program from a backup file with its original name plus 'MP8' and runs it. After the program terminates, the worm deletes it. The worm does not infect files with the following names:
  • EXPLORER
  • CMMGR
  • MSIMN
  • ICWCONN
  • WINZIP
  This type of infection is called 'companion infection'.
• The worm has network spreading capabilities. The worm enumerates network resources and copies itself to remote drives twice - once as an executable file with single or double extension, and second time as a RAR archive that can have single or double extension as well. The RAR archive contains the worm's executable file with one of the following names:
  • setup
  • install
  • demo
  • snoopy
  • picacu
  • kitty
  • play
  • rock
• The first extension of the RAR archive or of the worm's executable can be:
  • .txt
  • .htm
  • .html
  • .wab
  • .doc
  • .xls
  • .jpg
  • .cpp
  • .c
  • .pas
  • .mpg
  • .mpeg
  • .bak
  • .mp3
• The second or the only extension of the worm's executable file can be:
  • .exe
  • .scr
  • .pif
  • .bat
• The dropped RAR archive and worm's executable file name is either random or belongs to a file, that a worm found on a host system. So it can be for example QQ.PAS.EXE , KERNEL.MP3.PIF , DOCUMENT.SCR and so on.
• The worm kills tasks of anti-virus and security software as well as tasks of several other worms - Nimda, Sircam, Funlove and CodeRed. The worm opens processes and looks for the specific text strings there. If a specific text string is found in a process, the worm terminates this process. The strings the worm looks for are:
  • Sircam
  • Nimda
  • CodeRed
  • WQKMM3878
  • GRIEF3878
  • Fun Loving Criminal
  • Norton
  • Mcafee
  • Antivir
  • Avconsol
  • F-STOPW
  • F-Secure
  • Sophos
  • virus
  • AVP Monitor
  • AVP Updates
  • InoculateIT
  • PC-cillin
  • Symantec
  • Trend Micro
  • F-PROT
  • NOD32
• Also the worm terminates processes with the following names:
  • _AVP32
  • _AVPCC
  • NOD32
  • NPSSVC
  • NRESQ32
  • NSCHED32
  • NSCHEDNT
  • NSPLUGIN
  • NAV
  • NAVAPSVC
  • NAVAPW32
  • NAVLU32
  • NAVRUNR
  • NAVW32
  • _AVPM
  • ALERTSVC
  • AMON
  • AVP32
  • AVPCC
  • AVPM
  • N32SCANW
  • NAVWNT
  • ANTIVIR
  • AVPUPD
  • AVGCTRL
  • AVWIN95
  • SCAN32
  • VSHWIN32
  • F-STOPW
  • F-PROT95
  • ACKWIN32
  • VETTRAY
  • VET95
  • SWEEP95
  • PCCWIN98
  • IOMON98
  • AVPTC
  • AVE32
  • AVCONSOL
  • FP-WIN
  • DVP95
  • F-AGNT95
  • CLAW95
  • NVC95
  • SCAN
  • VIRUS
  • LOCKDOWN2000
  • Norton Mcafee
  • Antivir
  • TASKMGR