Malware type: Worm

Aliases: W32.Klez, KLEZA.A

In the wild: Yes

Destructive: Yes

Language: English

Platform: Windows

Encrypted: Yes

Overall risk rating:

This destructive, persistent, memory resident, multi-process, and multi-threaded worm spreads a copy of itself via email and Network shared drives. This worm consists of two components. The main worm and a Windows executable infector. Trend Micro antivirus detects the Windows file infector component of this worm as PE_ELKERN.A.

Similar to PE_NIMDA.A, this worm also utilizes the exploits for Microsoft Outlook and Outlook Express, which allow the automatic execution of an attachment during preview.

On Windows NT/2K systems, this worm registers itself as a system service. On Windows 9X, it is hidden from the Task List.

More information on this vulnerability is available at: Microsoft TechNet.

Read more about these variants.

For additional information about this threat, see:

Description created: Oct. 26, 2001 10:42:07 AM GMT -0800
Description updated: Oct. 26, 2001 10:45:00 AM GMT -0800


Size of malware: 57,345 Bytes

Initial samples received on: Oct 26, 2001

Payload 1: (it sends mails)

Trigger condition 1: Upon execution; System Date = 13; System Month = Odd (January, March, May, July, September, November)

Payload 2: (copies itself into shared drives with read/write access)

Trigger condition 1: Upon execution

Payload 3: Modifies Files (overwrites files in all Fixed & Remote drives with zeroes)

Trigger condition 1: Upon execution

Upon execution, this worm spawns several copies of itself in memory. Each process then creates six threads, each thread performing a distinct function, which is one of the following:
Anti-Antivirus routine
Dropping/Creating of files
Worm distribution
Network infection
File Destruction
Fixed and Remote drive enumeration

The worm first decodes its data in the memory. This includes the mail headers, subjects, bogus email address, and others. It then creates a copy of the worm in the Windows system directory as KRN132.EXE with the hidden attribute.

On Windows NT/2000 systems, the worm creates a system service and registers it as a service control dispatcher. In this way the service control manager always calls the worm service upon Windows startup.

Antivirus Termination Routine:
It then proceeds to checking the process list and terminates all Antivirus processes that match any of the following patterns:

  • SMSS
  • SCAN
  • NSCH
  • EDNT
  • NSCHED32
  • NRESQ32
  • NOD32
  • NAVW32
  • NAVLU32
  • NAVAPW32
  • N32SCANW
  • AVPM
  • AVP32
  • AMON
  • _AVPM
  • _AVPCC
  • _AVP32
For each process, the worm sleeps for 100ms. Thereafter, it creates a registry entry as follows so that it executes upon system startup:

Windows\CurrentVersion\Run Krn132 = %systemdir%\Krn132.exe

%systemdir% refers to the infected user�s Windows System directory. Usual values are C:\Windows\System and C:\Winnt\System32

Dropping/Creating of files:
The worm generates a random name via �GetTempFileNameA� and appends it in to the temp path. It then extracts and drops the Win32 file infector in the Windows System directory as WQK.EXE with the hidden attribute. This virus component is executed as a separate process. It creates a registry entry so that it automatically executes:

Windows\CurrentVersion\Run wqk = %systemdir%\wqk.exe

Network Infection:
The worm is capable of spreading via shared drives/folders with read/write access. To accomplish this, it enumerates all the shared resources of an infected system. For each entry, it copies itself to files with randomly generated filenames.

It notes all JPG, MPEG, MPG, HTML, CPP, XLS, BMP, DOC, HTM, and TXT files that it finds on an infected system. When it finds a folder with read/write access, it drops a file as any of its noted filenames plus an .EXE extension producing files with double extensions. It performs this action in an interval of 8 hours. It also creates another service as �KernelSvc.�

Fixed and Remote drive enumeration:
The worm contains a code that scans all mapped drives from �a� to �z� but because of a bug in its code, it fails to generate the correct next drive. Since drive �a:� is neither a fixed nor a remote drive, this action fails.

For each drive the worm sleeps for 10 seconds.

Mail Distribution:
To propagate copies of itself, it sends an email containing its executable program. It takes its recipients from the entries of the default Windows Address Book (WAB). It retrieves the filename of the WAB file from the following registry entry:

WAB\WAB4Wab File Name = �<pathname of WAB file>�

It then constructs the HTML mail, which contains the base64 encoded worm copy. It randomly generates the filename of the attachment. It connects to port 25 of any of the following predetermined mail servers:
  • smtp.yahoo.com
  • smtp.hotmail.com
  • smtp.sina.com

It then sends SMTP commands to create and send an email. The email it sends may contain any of the following, but may also be blank:


How are you?
Can you help me?
We want peace
Where will you go?
Don't cry
Look at the pretty
Some advice on your shortcoming
Free XXX Pictures
A free hot porn site
Why don't you reply to me?
How about have dinner with me together?
Never kiss a stranger

Message Body:
I'm sorry to do so,but it's helpless to say sorry.
I want a good job,I must support my parents.
Now you have seen my technical capabilities.
How much my year-salary now? NO more than $5,500.
What do you think of this fact?
Don't call my names,I have no hostility.
Can you help me?

Attachment: <Random filename with .EXE extension, size of the file is 57,345 bytes>

File Destruction:
On the system date, 13 of any odd month (January, March, May, July, September, November), the worm attempts to execute its destructive payload. For all fixed and remote drives, it overwrites all the files with zeros. This worm routine has a bug in generating the drives, however and therefore fails to perform the task. The size of the original file does not vary.

For each drive the worm sleeps for 30 minutes.

The worm exploits a vulnerability that enables an executable attachment even in MS Outlook preview pane. More information about this vulnerability is available at Micorosoft Security Bulletin and a security update is available at:Microsoft�s Security Update.


Minimum scan engine version needed: 5.200

Pattern file needed: 1.160.00

Pattern release date: Oct 26, 2001

Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.



To automatically remove this malware from your system, please refer to the Trend Micro Damage Cleanup Engine and Template.


Please download Microsoft's security update.

  1. Delete all email messages containing the details described above.
  2. Restore your system configurations through the registry. Click Start>Run, type Regedit.exe then hit the Enter key.
  3. Double click the following:
  4. On the right panel, look for the following registry value:
  5. Click this value then hit the Delete key.
  6. On the right panel, look for the following registry value:
  7. Click this value then hit the Delete key.
  8. Close the Registry.
  9. Restart your system.
  10. Scan your system with Trend Micro antivirus and delete all files detected as TROJ_KLEZ.A. To do this Trend Micro customers must download the latest pattern file and scan their system. Other email users may use HouseCall, Trend Micro�s free online virus scanner.

Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.