Threat Description

Worm:​W32/Klez

Details

Aliases:Worm:​W32/Klez
Category:Malware
Type:Worm
Platform:W32

Summary



A standalone malicious program which uses computer or network resources to make complete copies of itself. May include code or other malware to damage both the system and the network.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.

For more general information on disinfection, please see Removal Instructions .

Video: Klez Removal

We have produced a video showing step-by-step how to get rid of the Klez worm: http://www.f-secure.com/virus-info/video/klez.ram

Note: The video requires RealPlayer to view. You may download RealPlayer from: http://www.real.com/player/index.html?lang=en



Technical Details



Worm:W32/Klez is a mass-mailer worm which drops a polymporphic EXE virus called ElKern.

On some systems the worm is able to self-launch itself when an infected e-mail is viewed (for example, with Outlook and IE 5.0 or 5.01). To do this the worm uses a known vulnerability in IE that allows execution of an email attachment. This vulnerability is fixed and a patch for it is available on Microsoft site: http://www.microsoft.com/windows/ie/downloads/critical/q323759ie/default.asp

This worm/virus combo apparently originated from Asia, possibly China or Hong Kong. First infections were located early on the morning of 26th of October, 2001.

Propagation (E-mail)

The e-mails sent by Klez can have a wide variety of different subject fields such as:

Subject:

  • Hi
  • Hello
  • How are you?
  • Can you help me?
  • We want peace
  • Where will you go?
  • Congratulations!!!
  • Don't cry
  • Look at the pretty
  • Some advice on your shortcoming
  • Free XXX Pictures
  • A free hot porn site
  • Why don't you reply to me?
  • How about have dinner with me together?
  • Never kiss a stranger

The message has no text in body and the attachment name is random.

The worm part contains a hidden message targeted towards anti-virus researchers. Most e-mail clients will not show this message. It looks like this:

The Klez worm copies itself to root directories of local and network drives with a random name and with double extension, such as .TXT.EXE.

Variants


Variant:Klez.D

Klez.D appeared in the wild on 11th of November, 2001. This variant has a few changes compared to the previous versions. First of all it looks for e-mail addresses in the user's ICQ database files also. This means that anyone in the user's ICQ contact list is a potential recipient of the worm.

Another change in the e-mail part is that the attachments can now have .EXE and .PIF extension also. It was only .EXE with the previous versions. When the worm is copied to the Windows system directory it's nownamed as 'WinSvc.exe'. The same name is used in the registry run key:

  • 'HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WinSvc'

This version of the worm will try to locate and terminate processes that contain the words like 'Nimda', 'CodeRed', 'Code Red', 'CodeBlue', 'Code Blue'.

It also has a string inside that is never displayed:

  • 'I will try my best to kill some virus'

F-Secure Anti-Virus detects and stops both Klez and Elkern. Detection was added with the update shipped on 26th of October around 15 o'clock GMT. The update with detection for D variant was published on 12th of November 09:00GMT.


Variant:Klez.E

Klez.E is a new variant of Klez worm that was first discovered on 17th of January 2002. The worm is "version 2.0" according to its author's classification and has several new features comparing to the older variants. The worm still has bugs that remained from previous versions.

The differences from the original version are as follows:

  • The worm installs itself to Windows System directory as WINKxxxx.EXE file. The 'xxxx' can be 2-3 random letters. The worm creates an autostarting key for its file in System Registry.
  • The worm now has file infection capabilities. When infecting an EXE file, the worm overwrites it and creates a backup file with the same name as the infected file, but with a random extension with hidden, system and read-only attributes. When the infected file is run, the worm extracts the original program from a backup file with its original name plus 'MP8' and runs it. After the program terminates, the worm deletes it. The worm does not infect files with the following names:
    • EXPLORER
    • CMMGR
    • MSIMN
    • ICWCONN
    • WINZIP
    This type of infection is called 'companion infection'.
  • The worm has network spreading capabilities. The worm enumerates network resources and copies itself to remote drives twice - once as an executable file with single or double extension, and second time as a RAR archive that can have single or double extension as well. The RAR archive contains the worm's executable file with one of the following names:
    • setup
    • install
    • demo
    • snoopy
    • picacu
    • kitty
    • play
    • rock
  • The first extension of the RAR archive or of the worm's executable can be:
    • .txt
    • .htm
    • .html
    • .wab
    • .doc
    • .xls
    • .jpg
    • .cpp
    • .c
    • .pas
    • .mpg
    • .mpeg
    • .bak
    • .mp3
  • The second or the only extension of the worm's executable file can be:
    • .exe
    • .scr
    • .pif
    • .bat
  • The dropped RAR archive and worm's executable file name is either random or belongs to a file, that a worm found on a host system. So it can be for example QQ.PAS.EXE , KERNEL.MP3.PIF , DOCUMENT.SCR and so on.
  • The worm kills tasks of anti-virus and security software as well as tasks of several other worms - Nimda, Sircam, Funlove and CodeRed. The worm opens processes and looks for the specific text strings there. If a specific text string is found in a process, the worm terminates this process. The strings the worm looks for are:
    • Sircam
    • Nimda
    • CodeRed
    • WQKMM3878
    • GRIEF3878
    • Fun Loving Criminal
    • Norton
    • Mcafee
    • Antivir
    • Avconsol
    • F-STOPW
    • F-Secure
    • Sophos
    • virus
    • AVP Monitor
    • AVP Updates
    • InoculateIT
    • PC-cillin
    • Symantec
    • Trend Micro
    • F-PROT
    • NOD32
  • Also the worm terminates processes with the following names:
    • _AVP32 _AVPCC NOD32 NPSSVC NRESQ32 NSCHED32 NSCHEDNT NSPLUGIN NAV NAVAPSVC NAVAPW32 NAVLU32 NAVRUNR NAVW32 _AVPM ALERTSVC AMON AVP32 AVPCC AVPM N32SCANW NAVWNT ANTIVIR AVPUPD AVGCTRL AVWIN95 SCAN32 VSHWIN32 F-STOPW F-PROT95 ACKWIN32 VETTRAY VET95 SWEEP95 PCCWIN98 IOMON98 AVPTC AVE32 AVCONSOL FP-WIN DVP95 F-AGNT95 CLAW95 NVC95 SCAN VIRUS LOCKDOWN2000 Norton Mcafee Antivir TASKMGR
  • The worm removes autostarting Registry keys of security and anti-virus software thus disabling this software or parts of it completely on next Windows startup.
  • The worm affects anti-virus checksum files and ingegrity checker databases with the following names:
    • ANTI-VIR.DAT
    • CHKLIST.DAT
    • CHKLIST.MS
    • CHKLIST.CPS
    • CHKLIST.TAV
    • IVB.NTZ
    • SMARTCHK.MS
    • SMARTCHK.CPS
    • AVGQT.DAT
    • AGUARD.DAT
  • The worm drops a new version of Elkern virus ("version 1.1" according to author's classification) that is also known as Win32.Klez.b.
  • The worm can corrupt binary executables and data files.
  • The worm contains the following text strings that are never displayed:
    • Win32 Klez V2.0 & Win32 Elkern V1.1,(There nick name is Twin Virus*^__^*)
    • Copyright,made in Asia,announcement:
    • 1.I will try my best to protect the user from some vicious
    • virus,Funlove,Sircam,Nimda,CodeRed and even include W32.Klez 1.X.
    • 2.Well paid jobs are wanted
    • 3.Poor life should be unblessed
    • 4.Don't accuse me.Please accuse the unfair sh*t world
  • The worm has a complex payload routine. It works as a separate thread and constantly checks system date. If the month number is odd (1, 3, 5, etc.) and the date is equal to 6 then the worm proceeds further. It then checks if the month number is equal to 7 (July) or 1 (January) and sets a special flag if it is. Then the main payload routine is activated. It looks for all files on all local and network drives. If the month is not 1 or 7, the routine only affects files with the following extensions:
    • txt
    • htm
    • html
    • wab
    • doc
    • xls
    • jpg
    • cpp
    • c
    • pas
    • mpg
    • mpeg
    • bak
    • mp3
  • Otherwise all files are affected. The worm overwrites found files with random data thus destroying their content.
  • E-mail messages sent by Klez.e are composed according to really complex rules that makes possible of creating a large number of different messages. It can create sentences from different parts like:
    • 'The attachment is a very dangerous virus that spread trough e-mail.'
    • 'The file is a special dangerous virus that can infect on Win98/Me/2000/XP.'
  • Around special dates special greeting messages are sent too. Like these:
    • 'Happy Christmas'
    • 'Happy New Year'

Here are screenshots of Klez.E worm when it arrives in e-mail:

Just like the other variants of Klez this one uses the Incorrect MIME Header (MS01-020) vulnerabilty to send attachments that are automatically executed when the message is opened. See the link to Microsoft security advisory above.

Recipient e-mail addresses are collected from the Windows Address Book as well as from ICQ user databases. The worm uses it's own SMTP routines so it can send e-mail without an e-mail client.

Important Note: The e-mails sent by Klez.E worm often have faked sender's address. The worm randomly picks sender's address from web pages, ICQ databases or Windows Address Books. This means that if you get Klez.E worm in e-mail, it's quite likely that it was NOT sent to you by the person listed in the 'From' field of e-mail message (sender's address).

Detection of Klez.E worm is available in the updates published on 17th of January 2002.


Variant:Klez.F

Klez.F is a minor variant of Klez.E worm. It appeared in the wild in April 2002.


Variant:Klez.G

Klez.G worm appeared on 29th of January 2002. This variant is very close to Klez.E variant. The worm drops Elkern virus 1.1, identical to the one that was dropped by Klez.E variant. Only a few differences have been noticed in G variant:

  • When an infected file is run, the worm extracts the original file from a temporary file (created upon infection) with its name plus its extension, adds EXE extension and runs it. For example the preserved temporary file name is SYSTEM.CLF, so the worm will create a new file called SYSTEMCLF.EXE with the code of the original infected file and run it.
  • The author of the worm sends a 'message' to AV companies in his worm's credits:
    • 2.Pitiful AVers,can't Elkern 1.0 & 1.1 work on Win 2K&XP?Plz clear your eyes.

It should be noted that the Elkern virus works on Windows 2000 only due to dumb luck as there's a serious bug in the virus code that usually makes it crash just after installation into memory.

The worm still corrupts a lot of system files including DLL and VXD ones that often makes a system unusable after restart. The corruption happens because the worm tries to preserve the time/date stamp of a file it tries to infect and it saves this value into EXE file header without bothering to check if its a PE, NE or LE header. So NE and LE headers get corrupted and a file usually becomes unusable after that.

Like Klez.E variant, the new variant can send itself with empty messages with one the following subjects:

  • how are you
  • let's be friends
  • darling
  • don't drink too much
  • your passworddesc
  • honey
  • some questions
  • please try again
  • welcome to my hometown
  • the Garden of Eden
  • introduction on ADSL
  • meeting notice
  • questionnaire
  • congratulations
  • sos!
  • japanese girl VS playboy
  • look,my beautiful girl friend
  • eager to see you
  • spice girls' vocal concert
  • japanese lass' sexy pictures

Also the worm sometimes sends messages pretending to be infection removal tools from a few anti-virus companies. For example:

Subject: removal tools

 Body:

 is a dangerous virus that spread through email. give you the removal tools

 For more information,please visit http://www.[virusname][av_company_name].com

 The [av_company_name] can be 'Symantec', 'Mcafee', 'F-Secure' or 'Sophos'. The [virusname] can be 'W32.Elkern' or 'W32.Klez'.  
 

Do not run attachments from such messages!

Also the worm can pretend to be a game, it can send itself (usually as SETUP.EXE) with the a message:

This is a special humour game

 This game is my first work. You're the first player. I expect you would like it.
 

The first and last lines can vary. This message will be displayed only by e-mail clients that ignore IFrame trick used by the worm to automatically launch itself from an e-mail message. The worm can also send 'congratulations' on one of the following holidays:

  • Christmas
  • New year
  • Saint Valentine
  • Allhallowmas
  • April Fools' Day
  • Lady Day
  • Assumption
  • Candlemas
  • All Souls' Day
  • Epiphany

Detection of Klez.G worm is available in the updates published on 30th of January 2002.

Klez.H

This worm variant appeared in the wild on 17th of April 2002. It is quite close to E, F and G variants of Klez.






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More