Home / malware Win32.Klez.H@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Klez.H@mm is also known as N/A.
Explanation :
This is a new version of the virus Klez having a few changes from the last version (Win32.Klez.E@mm).
It comes as an attached file in a mail with the format similar to its previous version:
Subject:
- how are you
- let's be friends
- darling
- so cool a flash,enjoy it
- your password
- honey
- some questions
- please try again
- welcome to my hometown
- the Garden of Eden
- introduction on ADSL
- meeting notice
- questionnaire
- congratulations
- sos!
- japanese girl VS playboy
- look,my beautiful girl friend
- eager to see you
- spice girls'vocal concert
- japanese lass' sexy pictures
- Undeliverable mail--"%s"'
- Returned mail--"%s"'
Where %s is replaced with a stolen subject from other e-mails
It also attaches another
file taken from the root directory, besides the file which contains the virus.
An example is this:
In addition to the mail bodies presented in the previous version it has another
message:
Klez.E is the most common world-wide spreading worm. It's very dangerous by corrupting your files. Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it. We developed this free immunity tool to defeat the malicious virus. You only need to run this tool once,and then Klez will never come into your PC.
NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV monitor maybe cry when you run it.
If so,Ignore the warning,and select 'continue'.
If you have any question,please mail to me.
An example of such e-mail is this:
It uses the IFRAME exploit to execute automatically when the user previews the
message (with Outlook or Outlook Express). You can find description and patch for the IFRAME exploit at this link:
http://www.microsoft.com/windows/ie/downloads/critical/q290108/default.asp.
When it is executed the virus copies itself in the %system% directory under
a name starting with wink. Another major difference from the last version is that the virus that it carries with it is a new version Win32.Elkern.C. It drops this file infector in the directory C:Program Files with a random name and executes it.
It uses the same methods of spreading through e-mail and network as the other KLEZ versions.
The virus contains the follwing text:
Win32 Klez V2.01 & Win32
Foroux V1.0
Copyright 2002,made in Asia
About Klez V2.01:
1,Main mission is to release the new baby PE virus,Win32 Foroux
2,No significant change.No bug fixed.No any payload.
About Win32 Foroux (plz keep the name,thanx)
1,Full compatible Win32 PE virus on Win9X/2K/NT/XP
2,With very interesting feature.Check it!
3,No any payload.No any optimization
4,Not bug free,because of a hurry work.No more than three weeks from having
such idea to accomplishing coding and testing.Last update 21 November 2011
