high
Summary
Summary
Action- More Information
| Detected by | All Sophos products |
|---|---|
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Please read the instructions for removing W32/ElKern and W32/Klez.
More Information
W32/Klez-F is a variant of W32/Klez-A.
Functionality of W32/Klez-F is very similar to W32/Klez-E.
It is a Win32 worm that carries a compressed copy of the W32/ElKern-B virus, which it drops and executes when the worm is run.
This worm searches for email address entries in the Windows address book and in files on the local hard drive. W32/Klez-F uses its own SMTP mailing routine.
The email will have the following characteristics:
Subject line: randomly composed from text in the worm body and the list
How are you
Let's be friends
Darling
Don't drink too much
Your password
Honey
Some questions
Please try again
Welcome to my hometown
the Garden of Eden
introduction on ADSL
Meeting notice
Questionnaire
Congratulations
Sos!
japanese girl VS playboy
Look,my beautiful girl friend
Eager to see you
Spice girls' vocal concert
Japanese lass' sexy pictures
Message text: Message text is randomly composed by the worm but the message can also be without a text.
Attached file: Randomly named with extension .PIF, .SCR, .EXE or .BAT.
The sender address which appears in the message "From:" field is chosen either from files on the local hard drive or from a list inside the virus.
Because the worm uses its own SMTP engine, the message may appear to come from any email address. Some of the messages will have a "From:" field and message text which imply that the message was sent by a major anti-virus vendor.
The worm attempts to exploit a MIME vulnerability in some versions of Microsoft Outlook, Microsoft Outlook Express, and Internet Explorer to allow the executable file to run automatically without the user double-clicking on the attachment. Microsoft has issued a patch which secures against this vulnerability which can be downloaded from www.microsoft.com/technet/security/bulletin/MS01-027.asp.
(This patch fixes a number of vulnerabilities in Microsoft's software, including the one exploited by this worm.)
W32/Klez-F may also spread to remote shares on other machines using random filenames with a double extension. On remote shares, the worm will also create RAR archives and add itself. The name of the worm file in the archive is chosen from the following list:
Setup
Install
Demo
Snoopy
Picacu
Kitty
Play
Rock
It copies itself to the Windows System directory with a random filename. The worm will set the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ to point to the worm file, so that the file is run on Windows startup.
On the 6th of March, May, September and November the worm will overwrite files on all drives which have one of the following extensions.
TXT
HTM
HTML
WAB
DOC
XLS
JPG
C
PAS
MPG
MPEG
BAK
MP3
On the 6th January and July the worm will overwrite all files on all drives.
Additionally the worm will attempt to disable anti-virus software by stopping any of the following processes,
_AVP32
_AVPCC
NOD32
NPSSVC
NRESQ32
NSCHED32
NSCHEDNT
NSPLUGIN
NAV
NAVAPSVC
NAVAPW32
NAVLU32
NAVRUNR
NAVW32
_AVPM
ALERTSVC
AMON
AVP32
AVPCC
AVPM
N32SCANW
NAVWNT
ANTIVIR
AVPUPD
AVGCTRL
AVWIN95
SCAN32
VSHWIN32
F-STOPW
F-PROT95
ACKWIN32
VETTRAY
VET95
SWEEP95
PCCWIN98
IOMON98
AVPTC
AVE32
AVCONSOL
FP-WIN
DVP95
F-AGNT95
CLAW95
NVC95
SCAN
VIRUS
LOCKDOWN2000
Norton
Mcafee
Antivir
TASKMGR
and deleting the files
ANTI-VIR.DAT
CHKLIST.DAT
CHKLIST.MS
CHKLIST.CPS
CHKLIST.TAV
IVB.NTZ
SMART CHK.MS
SMARTCHK.CPS
AVGQT.DAT
AGUARD.DAT
|
