Home / malware Win32.Klez.A@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Klez.A@mm is also known as N/A.
Explanation :
This virus is an Internet worm capable of spreading through the local network also. The infected mails include the virus as attachment with a random name (but with an .exe extension). The email has the follwoing format:
Subject:
Hello
How are you?
Can you help me?
We want peace
Where will you go?
Congratulations!!!
Don't cry
Look at the pretty
Some advice on your shortcoming
Free XXX Pictures
A free hot porn site
Why don't you reply to me?
How about have dinner with me together?
Never kiss a stranger
Body:
I'm sorry to do so, but it's helpless to say sorry.
I want a good job, I must support my parents.
Now you have seen my technical capabilities.
How much my year-salary now? NO more than $5,500.
What do you think of this fact?
Don't call my names, I have no hostility.
Can you help me?
It uses an exploit (a security hole) which allows the attachment to be executed when viewing the message with Outlook Express or Outlook (without ServicePacks installed). This method is similar to the one used by Nimda or Kak worms. You can find description and patch for the IFRAME exploit at this link:
http://www.microsoft.com/windows/ie/downloads/critical/q290108/default.asp
The e-mail message does not look as if coming from an infected person, but from different addresses among which are the following:
king@21cn.com
flag@21cn.com
super@21cn.com
zhangcheng77@online.sh.cn
broused@online.sh.cn
lbhuangsy@21cn.com
kqlbaby@21cn.com
jiemin@citiz.net
feiyiming@citiz.net
lllwww@online.sh.cn
tomyjiang18@21cn.com
luxianchu@21cn.com
kqlbaby@21cn.com
lin_yuezhi@citiz.net
zhangcheng77@online.sh.cn
zbzwy@21cn.com
sarge2010@21cn.com
Once executed, the virus decrypts all series containing text (to avoid them to be seen by somebody who is trying to study what the virus includes) and is tries to hide from the application list.
The virus creates an execution thread, which monitors all running applications, and if there are any applications belonging to an antivirus program, it closes them.
The next thing the virus does is creating a file named wqk.exe in the system directory, which includes the Win32.Elkern.A virus, which it kept compressed in its body. This virus is a file infector that runs on Windows 98 or Windows Me.
After creating the wqk.exe file, the worm executes it and copies itself in the whole Windows system directory under the name krn132.exe and creates a key in the registry:
HKEY_LOCAL_MACHINE SoftwareMicrosoftWindowsCurrentVersionRunKrn132
using as value the path to this file, allowing it to be reactivated every time Windows is started.
The virus launches other execution threads:one for infection through Internet, one for network infection and other 26 to scan through each drive searching for files with one of the following extensions: txt, htm, doc, jpg, bmp, xls, cpp, html, mpg, mpeg.
The thread dedicated to Internet infection searches for all contacts in Outlook Address Book and generates a maximum of 10 e-mail addresses with a random name but ending in @yahoo.com, @hotmail.com or @sina.com.
In order to send messages to these addresses it also generates a SMTP server list using the domain name from the e-mail addresses and adding the .smtp prefix. For example, if the e-mail address list includes an address like contact@domain.com
The virus will include in the SMTP server list: stmp.domain.com.
The thread for network infection reactivates every 8 hours and scans the network, leaving in certain shared directories copies of the virus, but bearing an apparently random name and a double extension. This name is actually the name of the last file that the execution threads scanning the local disks went over, adding to it the extension .exe.
If the system's set date is an uneven month (January, March, etc) and the day is 13th, the virus starts its payload routine scanning local disks (or drives mapped from the network) and fills the files it finds with random data, permanently destroying them.Last update 21 November 2011
