--- Update 4/18/2002 ---
AVERT has raised the risk assessment of this threat to Medium after seeing an increase in prevalence over the past 24 hours. Home users are at a greater risk of infection, as they tend to update their DATs less frequently then corporations. As such, the risk of becoming infected in a corporate environment is lower.
This latest W32/Klez variant is already detected as W32/Klez.gen@MM by McAfee products using the 4182 DATs (23 January 2002) or greater.
W32/Klez.h@MM has a number of similarities to previous W32/Klez variants, for example:
- W32/Klez.h@MM makes use of Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability in Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2).
- the worm has the ability to spoof the From: field (often set to an address found on the victim machine).
- the worm attempts to unload several processes (antivirus programs) from memory. Including those containing the following strings:
- _AVP32
- _AVPCC
- NOD32
- NPSSVC
- NRESQ32
- NSCHED32
- NSCHEDNT
- NSPLUGIN
- NAV
- NAVAPSVC
- NAVAPW32
- NAVLU32
- NAVRUNR
- NAVW32
- _AVPM
- ALERTSVC
- AMON
- AVP32
- AVPCC
- AVPM
- N32SCANW
- NAVWNT
- ANTIVIR
- AVPUPD
- AVGCTRL
- AVWIN95
- SCAN32
- VSHWIN32
- F-STOPW
- F-PROT95
- ACKWIN32
- VETTRAY
- VET95
- SWEEP95
- PCCWIN98
- IOMON98
- AVPTC
- AVE32
- AVCONSOL
- FP-WIN
- DVP95
- F-AGNT95
- CLAW95
- NVC95
- SCAN
- VIRUS
- LOCKDOWN2000
- Norton
- Mcafee
- Antivir
The worm is able to propagate over the network by copying itself to network shares (assuming sufficient permissions exist). Target filenames are chosen randomly, and can have single or double file extensions. For example:
350.bak.scr
bootlog.jpg
user.xls.exe
The worm may also copy itself into RAR archives, for example:
HREF.mpeg.rar
HREF.txt.rar
lmbtt.pas.rar
The worm mails itself to email addresses in the Windows Address Book, plus addresses extracted from files on the victim machine. It arrives in an email message whose subject and body is composed from a pool of strings carried within the virus (the virus can also add other strings obtained from the local machine). For example:
Subject: A very funny website
or Subject: 1996 Microsoft Corporation
or Subject: Hello,honey
or Subject: Initing esdi
or Subject: Editor of PC Magazine.
or Subject: Some questions
or Subject: Telephone number
The file attachment name is again generated randomly, and ends with a .exe, .scr, .pif, or .bat extension, for example:
ALIGN.pif
User.bat
line.bat
Thanks to the use of the exploit described above, simply opening or previewing the message in a vulnerable mail client can result in infection of the victim machine.
W32/Klez.h@MM masquerades as a free immunity tool in at least one of the messages used. Below is the message sent by the virus itself.
Subject: Worm Klez.E Immunity
Body: Klez.E is the most common world-wide spreading worm. It's very dangerous by corrupting your files. Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it.We developed this free immunity tool to defeat the malicious virus. You only need to run this tool once,and then Klez will never come into your PC.
NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV monitor maybe cry when you run it. If so,Ignore the warning,and select 'continue'. If you have any question,please mail to me.
The worm may send a clean document in addition to an infected file. A document found on the hard disk, that contains one of the following extensions, is sent:
- .txt
- .htm
- .html
- .wab
- .asp
- .doc
- .rtf
- .xls
- .jpg
- .cpp
- .c
- .pas
- .mpg
- .mpeg
- .bak
- .mp3
- .pdf
This payload can result in confidental information being sent to others.
