Skip to content

Export page to PDF
WORM_KLEZ.H
Aliases: W32.Klez.H@mm(Symantec), W32/Klez.h@MM(McAfee), Email-Worm.Win32.Klez.h(Kaspersky), W32/Klez-H(Sophos), W32/Elkern.C(Avira), W32/Klez.H@mm (exact)(F-Prot)
Malware type: Worm
Destructive: No
Platform: Windows 2000, Windows XP, Windows Server 2003
Encrypted: Yes
In the wild: Yes

Overview


Infection Channel: Spammed via email

This worm arrives as attachment to mass-mailed email messages.

It deletes autostart registry entries associated with the processes it terminates to completely disable applications.

It gathers target email addresses from the Windows Address Book (WAB). It exploits software vulnerabilities to automatically execute attachments once a user reads or previews spammed messages. It does this action to allow easy execution of email attachments without the user opening the said attachments.

Technical Details


File size: Varies
File type: EXE
Memory resident: Yes
Initial samples received date: 21 Jan 2003
Payload: Terminates processes, Connects to URLs/IPs

Arrival Details

This worm arrives as attachment to mass-mailed email messages.

Installation

This worm drops the following copies of itself into the affected system:

  • %System%\WINK{random alphabetic characters}.EXE
  • %Temp%\{random alphabetic characters}{random digits}.EXE

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.. %Temp% is the Windows Temporary folder, which is usually C:\Windows\Temp.)

Autostart Technique

This worm registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Wink{random alphabetic characters}
ImagePath = "%System%\WINK{random alphabetic characters}.EXE" (if the operating system is Windows NT, 2000, or XP)

It adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
Wink{random alphabetic characters} = "%System%\WINK{random alphabetic characters}.EXE" (if the operating system is Windows 95, 98 or ME)

It registers as a system service to ensure its automatic execution at every system startup by adding the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Wink{random alphabetic characters} (if the operating system is Windows NT, 2000, or XP)

Other System Modifications

This worm deletes the following files:

  • ANTI-VIR.DAT
  • CHKLIST.CPS
  • CHKLIST.DAT
  • CHKLIST.MS
  • CHKLIST.TAV
  • IVB.NTZ
  • SMARTCHK.MS

It deletes autostart registry entries associated with the processes it terminates to completely disable applications.

Propagation

This worm drops copies of itself in the following shared folders:

  • {random file name}.{random extension 1}.{random extension 2}
  • {random file name}.RAR

It searches for available SMTP servers by checking the following registry key(s):

HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts

It gathers target email addresses from data files related to the following instant messaging application(s):

  • ICQ

It gathers target email addresses from the Windows Address Book (WAB).

It composes messages as part of its spamming routine. The messages it sends has the following details:

Sender: Taken from the gathered email addresses
Option 1:

  • Subject: none
  • Mail Body: none

Option 2:
  • Subject: chosen from the following:
    • congratulations
    • darling
    • eager to see you
    • honey
    • how are you
    • introduction on ADSL
    • japanese girl VS playboy
    • japanese lass sexy pictures
    • let's be friends
    • look,my beautiful girl friend
    • meeting notice
    • please try again
    • questionnaire
    • so cool a flash,enjoy it
    • some questions
    • sos!
    • spice girls vocal concert
    • the Garden of Eden
    • welcome to my hometown
    • your password

    The subject can be preceded by the following:
    • Hi,{user name},
    • Hello,{user name},
    • Re:
    • Fw:

  • Mail Body: none

Option 3:
  • Subject: a {string 1} {string 2} game
  • Mail Body:
    A {string 1} {string 2} game

    This is a {string 1} {string 2} game
    This game is my first work.
    You're the first player.
    I expect you would enjoy it.

Option 4:
  • Subject: {string 3} removal tools
  • Mail Body:
    {string 4} give you the {string 3} removal tools
    {string 3} is a dangerous virus that can infect on Win98/Me/2000/XP.

    For more information,please visit http://www.{string 4}.com

Option 5:
  • Subject: could be any of the following:
    • Undeliverable mail--"{random string}"
    • 'Returned mail--"{random string}"

  • Mail Body:
    The following mail can't be sent to {spoofed email address}

    From: {spoofed email address}
    To: {spoofed email address}
    Subject: {random string}
    The file is the original mail

Option 6:
  • Subject: Worm Klez.E immunity
  • Mail Body:
    Klez.E is the most common world-wide spreading worm.It's very dangerous by corrupting your files.
    Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it.
    We developed this free immunity tool to defeat the malicious virus.
    You only need to run this tool once,and then Klez will never come into your PC.
    NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV monitor maybe cry when you run it.
    If so,Ignore the warning,and select 'continue'.
    If you have any question,please mail to me.

Option 7:
  • Subject: {string 5} {string 6}
  • Mail Body: random text

Option 8:
  • Subject: could be any of the following:
    • a {string 7} {string 7} tool
    • a {string 7} {string 7} patch

    where {string 7} could be any of the following:
    • excite
    • funny
    • good
    • humour
    • IE 6.0
    • new nice
    • powful
    • W32.Elkern
    • W32.Klez.E
    • WinXP

  • Mail Body: random text

Option 9:
  • Subject: a {string 1} {string 2} website
  • Mail Body:
    This is {subject}
    I {string 8} you would {string 9} it.

    where {string 8} can be any of the following:
    • expect
    • hope
    • wish

    {string 9} can be any of the following:
    • enjoy
    • like

Option 10:
  • Subject: chosen from existing files and folder names
  • Mail Body: none

{string 1} is optional or could be any of the following:
  • very
  • special
{string 2} is optional or could be one of the following:
  • excite
  • funny
  • good
  • humour
  • new
  • nice
  • powful
{string 3} could be any of the following:
  • W32.Elkern
  • W32.Klez.E
{string 4} could be any of the following:
  • F-Secure
  • Kaspersky
  • Mcafee
  • Sophos
  • Symantec
  • Trendmicro
{string 5} could be any of the following:
  • Happy
  • Have a
{string 6} could be any of the following:
  • All Souls Day
  • Allhallowmas
  • April Fools Day
  • Assumption
  • Candlemas
  • Christmas
  • Epiphany
  • Lady Day
  • New year
  • Saint Valentine's Day

It exploits the following software vulnerabilities to automatically execute attachments once a user reads or previews a spammed message:

Process Termination

This worm terminates the following services if found on the affected system:

  • _AVPCC
  • _AVPM
  • ACKWIN32
  • ALERTSVC
  • AMON
  • ANTIVIR
  • Antivir
  • AVCONSOL
  • AVE32
  • AVGCTRL
  • AVP32
  • AVPCC
  • AVPM
  • AVPTC
  • AVPUPD
  • AVWIN95
  • CLAW95
  • DVP95
  • F-AGNT95
  • F-PROT95
  • FP-WIN
  • F-STOPW
  • IOMON98
  • LOCKDOWN2000
  • Mcafee
  • N32SCANW
  • NAV
  • NAVAPSVC
  • NAVAPW32
  • NAVLU32
  • NAVRUNR
  • NAVW32
  • NAVWNT
  • NOD32
  • Norton
  • NPSSVC
  • NRESQ32
  • NSCHED32
  • NSCHEDNT
  • NSPLUGIN
  • NVC95
  • PCCWIN98
  • SCAN
  • SCAN32
  • SWEEP95
  • TASKMGR
  • VET95
  • VETTRAY
  • VIRUS
  • VSHWIN32

Dropping Routine

This worm drops the following files:

  • %Program Files%\{random alphabetic characters}{random digits}.EXE - detected by Trend Micro as PE_ELKERN.D

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)

Other Details

This worm contains the following strings in its code:

  • Win32 Klez V2.01 & Win32 Foroux V1.0
    Copyright 2002,made in Asia
    About Klez V2.01:
    1,Main mission is to release the new baby PE virus,Win32 Foroux
    2,No significant change.No bug fixed.No any payload.
    About Win32 Foroux (plz keep the name,thanx)
    1,Full compatible Win32 PE virus on Win9X/2K/NT/XP
    2,With very interesting feature.Check it!
    3,No any payload.No any optimization
    4,Not bug free,because of a hurry work.No more than three weeks from having such idea to accomplishing coding and testing

NOTES:

If the user SMTP server is unavailable, it attempts to use the following SMTP servers:

  • smtp.{BLOCKED}ed.es
  • smtp.{BLOCKED}c.com
  • smtp.{BLOCKED}n.net
  • smtp.{BLOCKED}an.co.jp

It modifies .EXE files by encrypting them using a Run-Length compression algorithm. It renames the encrypted file to {original file name}.{random extension name} with attributes set to Read-Only, Hidden, System, and Archive. It then copies itself into the same folder and assumes the original file name, icon, and file size of the modified file. As a consequence, users may not notice the infection. When the worm copy is executed, it decrypts the host program in the companion file then spawns it as another process.

The dropped RAR file in the shared folders contains the file {random file name 1}.{random extension 2} where {random file name 1} could be any of the following:

  • demo
  • install
  • kitty
  • picacu
  • play
  • rock
  • setup
  • snoopy

{random extension 1} is chosen from the following list:

  • asp
  • bak
  • c
  • cpp
  • doc
  • htm
  • html
  • jpg
  • mp3
  • mpeg
  • mpg
  • pas
  • pdf
  • rtf
  • txt
  • wab
  • xls

{random extension 2} is chosen from the following list:

  • bat
  • exe
  • pif
  • scr

Solution


Minimum scan engine: 9.200
First VSAPI Pattern File: 3.946.01
First VSAPI Pattern Release Date: 22 Nov 2006
VSAPI OPR Pattern Version: 3.947.00
VSAPI OPR Pattern Release Date: 22 Nov 2006

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Remove the malware/grayware file dropped/downloaded by WORM_KLEZ.H

Step 3

Scan your computer with your Trend Micro product and note files detected as WORM_KLEZ.H

Step 4

Restart in Safe Mode

[ Learn more ]

Step 5

Delete this registry value

[ Learn more ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.


  • In HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    • Wink{random alphabetic characters} = "%System%\WINK{random alphabetic characters}.EXE"

Step 6

Delete this registry key

[ Learn more ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.


  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
    • Wink{random alphabetic characters}

Step 7

Scan your computer with your Trend Micro product to delete files detected as WORM_KLEZ.H. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Step 8

Download and apply this security patch Refrain from using these products until the appropriate patches have been installed. Trend Micro advises users to download critical patches upon release by vendors.

Step 9

Restore this file from backup only Microsoft-related files will be restored. If this malware/grayware also deleted files related to programs that are not from Microsoft, please reinstall those programs on you computer again.

  • ANTI-VIR.DAT
  • CHKLIST.CPS
  • CHKLIST.DAT
  • CHKLIST.MS
  • CHKLIST.TAV
  • IVB.NTZ
  • SMARTCHK.MS


Did this description help? Tell us how we did.
Analysis By: Automation

Connect with us on