W32/Klez-D is a minor variant of the W32/Klez-A worm. It carries a compressed copy of the W32/ElKern-A virus, which it drops and executes when the worm is run.
The worm sends itself to entries in the Windows address book and arrives in an email with a subject line selected from:
"Hi"
"Hello"
"How are you?"
"Can you help me?"
"We want peace"
"Where will you go?"
"Congratulations!!!"
"Don't cry"
"Look at the pretty"
"Some advice on your shortcoming"
"Free XXX Pictures"
"A free hot porn site"
"Why don't you reply to me?"
"How about have dinner with me together?"
"Never kiss a stranger"
The attachment has a random filename and the sender address is either a random uppercase name at yahoo.com, hotmail.com or sina.com, or one chosen from a list inside the virus.
The body text of the email is sent as HTML and says:
"I'm sorry to do so,but it's helpless to say sorry. I want a good job,I must support my parents. Now you have seen my technical capabilities How much my year-salary now? NO more than $5,500 What do you think of this fact? Don't call my names,I have no hostility Can you help me?"
The worm attempts to exploit a MIME vulnerability in some versions of Microsoft Outlook, Microsoft Outlook Express, and Internet Explorer to allow the executable file to run automatically without the user double-clicking on the attachment. Microsoft has issued a patch which secures against this vulnerability which can be downloaded from http://www.microsoft.com/technet/security/bulletin/MS01-027.asp.
(This patch fixes a number of vulnerabilities in Microsoft's software, including the one exploited by this worm.)
The worm copies itself to remote shares on other machines with random filenames. It also copies itself to the Windows System directory as winsvc.exe, and sets the registry key
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WinSvc
to point to it.