WORM_KLEZ.H

This worm arrives as attachment to mass-mailed email messages.

It deletes autostart registry entries associated with the processes it terminates to completely disable applications.

It gathers target email addresses from the Windows Address Book (WAB). It exploits software vulnerabilities to automatically execute attachments once a user reads or previews spammed messages. It does this action to allow easy execution of email attachments without the user opening the said attachments.

Arrival Details

This worm arrives as attachment to mass-mailed email messages.

Installation

This worm drops the following copies of itself into the affected system:

• %System%\WINK{random alphabetic characters}.EXE
• %Temp%\{random alphabetic characters}{random digits}.EXE

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %Temp% is the Windows temporary folder, where it usually is C:\Windows\Temp on all Windows operating system versions.)

Autostart Technique

This worm registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Wink{random alphabetic characters}
ImagePath = "%System%\WINK{random alphabetic characters}.EXE" (if the operating system is Windows NT, 2000, or XP)

It adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
Wink{random alphabetic characters} = "%System%\WINK{random alphabetic characters}.EXE" (if the operating system is Windows 95, 98 or ME)

It registers as a system service to ensure its automatic execution at every system startup by adding the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Wink{random alphabetic characters} (if the operating system is Windows NT, 2000, or XP)

Other System Modifications

This worm deletes the following files:

• ANTI-VIR.DAT
• CHKLIST.CPS
• CHKLIST.DAT
• CHKLIST.MS
• CHKLIST.TAV
• IVB.NTZ
• SMARTCHK.MS

It deletes autostart registry entries associated with the processes it terminates to completely disable applications.

Propagation

This worm drops copies of itself in the following shared folders:

• {random file name}.{random extension 1}.{random extension 2}
• {random file name}.RAR

It searches for available SMTP servers by checking the following registry key(s):

HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts

It gathers target email addresses from data files related to the following instant messaging application(s):

• ICQ

It gathers target email addresses from the Windows Address Book (WAB).

It composes messages as part of its spamming routine. The messages it sends has the following details:

Sender: Taken from the gathered email addresses
Option 1:

• Subject: none
• Mail Body: none

• Subject: chosen from the following:
  • congratulations
  • darling
  • eager to see you
  • honey
  • how are you
  • introduction on ADSL
  • japanese girl VS playboy
  • japanese lass sexy pictures
  • let's be friends
  • look,my beautiful girl friend
  • meeting notice
  • please try again
  • questionnaire
  • so cool a flash,enjoy it
  • some questions
  • sos!
  • spice girls vocal concert
  • the Garden of Eden
  • welcome to my hometown
  • your password
  
  The subject can be preceded by the following:
  • Hi,{user name},
  • Hello,{user name},
  • Re:
  • Fw:
  
  
• Mail Body: none

• Subject: a {string 1} {string 2} game
• Mail Body:
  A {string 1} {string 2} game
  
  This is a {string 1} {string 2} game
  This game is my first work.
  You're the first player.
  I expect you would enjoy it.

• Subject: {string 3} removal tools
• Mail Body:
  {string 4} give you the {string 3} removal tools
  {string 3} is a dangerous virus that can infect on Win98/Me/2000/XP.
  
  For more information,please visit http://www.{string 4}.com

• Subject: could be any of the following:
  
  • Undeliverable mail--"{random string}"
  • 'Returned mail--"{random string}"
  
  
• Mail Body:
  The following mail can't be sent to {spoofed email address}
  
  From: {spoofed email address}
  To: {spoofed email address}
  Subject: {random string}
  The file is the original mail

• Subject: Worm Klez.E immunity
• Mail Body:
  Klez.E is the most common world-wide spreading worm.It's very dangerous by corrupting your files.
  Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it.
  We developed this free immunity tool to defeat the malicious virus.
  You only need to run this tool once,and then Klez will never come into your PC.
  NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV monitor maybe cry when you run it.
  If so,Ignore the warning,and select 'continue'.
  If you have any question,please mail to me.

• Subject: {string 5} {string 6}
• Mail Body: random text

• Subject: could be any of the following:
  • a {string 7} {string 7} tool
  • a {string 7} {string 7} patch
  
  where {string 7} could be any of the following:
  • excite
  • funny
  • good
  • humour
  • IE 6.0
  • new nice
  • powful
  • W32.Elkern
  • W32.Klez.E
  • WinXP
  
  
• Mail Body: random text

• Subject: a {string 1} {string 2} website
• Mail Body:
  This is {subject}
  I {string 8} you would {string 9} it.
  
  where {string 8} can be any of the following:
  • expect
  • hope
  • wish
  
  {string 9} can be any of the following:
  • enjoy
  • like

• Subject: chosen from existing files and folder names
• Mail Body: none

• very
• special

• excite
• funny
• good
• humour
• new
• nice
• powful

• W32.Elkern
• W32.Klez.E

• F-Secure
• Kaspersky
• Mcafee
• Sophos
• Symantec
• Trendmicro

• Happy
• Have a

• All Souls Day
• Allhallowmas
• April Fools Day
• Assumption
• Candlemas
• Christmas
• Epiphany
• Lady Day
• New year
• Saint Valentine's Day

It exploits the following software vulnerabilities to automatically execute attachments once a user reads or previews a spammed message:

• Incorrect MIME Header Can Cause IE to Execute E-mail Attachment (MS01-020)

Process Termination

This worm terminates the following services if found on the affected system:

• _AVPCC
• _AVPM
• ACKWIN32
• ALERTSVC
• AMON
• ANTIVIR
• Antivir
• AVCONSOL
• AVE32
• AVGCTRL
• AVP32
• AVPCC
• AVPM
• AVPTC
• AVPUPD
• AVWIN95
• CLAW95
• DVP95
• F-AGNT95
• F-PROT95
• FP-WIN
• F-STOPW
• IOMON98
• LOCKDOWN2000
• Mcafee
• N32SCANW
• NAV
• NAVAPSVC
• NAVAPW32
• NAVLU32
• NAVRUNR
• NAVW32
• NAVWNT
• NOD32
• Norton
• NPSSVC
• NRESQ32
• NSCHED32
• NSCHEDNT
• NSPLUGIN
• NVC95
• PCCWIN98
• SCAN
• SCAN32
• SWEEP95
• TASKMGR
• VET95
• VETTRAY
• VIRUS
• VSHWIN32

Dropping Routine

This worm drops the following files:

• %Program Files%\{random alphabetic characters}{random digits}.EXE - detected by Trend Micro as PE_ELKERN.D

(Note: %Program Files% is the Program Files folder, where it usually is C:\Program Files on all Windows operating system versions; C:\Program Files (x86) for 32-bit applications running on Windows 64-bit operating systems.)

Other Details

This worm contains the following strings in its code:

• Win32 Klez V2.01 & Win32 Foroux V1.0
  Copyright 2002,made in Asia
  About Klez V2.01:
  1,Main mission is to release the new baby PE virus,Win32 Foroux
  2,No significant change.No bug fixed.No any payload.
  About Win32 Foroux (plz keep the name,thanx)
  1,Full compatible Win32 PE virus on Win9X/2K/NT/XP
  2,With very interesting feature.Check it!
  3,No any payload.No any optimization
  4,Not bug free,because of a hurry work.No more than three weeks from having such idea to accomplishing coding and testing

NOTES:

If the user SMTP server is unavailable, it attempts to use the following SMTP servers:

• smtp.{BLOCKED}ed.es
• smtp.{BLOCKED}c.com
• smtp.{BLOCKED}n.net
• smtp.{BLOCKED}an.co.jp

It modifies .EXE files by encrypting them using a Run-Length compression algorithm. It renames the encrypted file to {original file name}.{random extension name} with attributes set to Read-Only, Hidden, System, and Archive. It then copies itself into the same folder and assumes the original file name, icon, and file size of the modified file. As a consequence, users may not notice the infection. When the worm copy is executed, it decrypts the host program in the companion file then spawns it as another process.

The dropped RAR file in the shared folders contains the file {random file name 1}.{random extension 2} where {random file name 1} could be any of the following:

• demo
• install
• kitty
• picacu
• play
• rock
• setup
• snoopy

{random extension 1} is chosen from the following list:

• asp
• bak
• c
• cpp
• doc
• htm
• html
• jpg
• mp3
• mpeg
• mpg
• pas
• pdf
• rtf
• txt
• wab
• xls

{random extension 2} is chosen from the following list:

• bat
• exe
• pif
• scr