Home / malware Win32.Elkern.A
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Elkern.A is also known as N/A.
Explanation :
This virus is a file infector that spreads with the help of Win32.Klez.A@mm, being included in this worm. It runs on 98 and ME Windows platforms.
When executed, the virus copies the host in the Windows system directory under the name wqk (extension .exe or .dll) and writes the following key in the registry:
[HKLMSoftwareMicrosoftWindowsCurrentVersionRunWqk]
using as value the path to the copied file, allowing it to be reactivated every time Windows is started. The virus remains active, hiding from the application list, and searching for files to infect.
File infection is accomplished searching for cavities in the host file to avoid increasing file size, and if this cannot be done then the last section of the executable will be extended to include the virus body. At the same time, the virus is capable of infecting the local network.
The spreading potential of the virus is increased because the virus is also transmitted by the Win32.Klez.A@mm worm, which is a mass-mailer and network infector.
In order to make detection more difficult, the virus uses some of its body layers in encrypted form, and the names of the system functions it uses are not included in it, integrating only a checksum associated to each name. In order to use these functions it calculates a checksum for each name of the system function, and when the virus finds this checksum in its list, it takes out the function's address to use it.Last update 21 November 2011
