Classification

Category :

Malware

Type :

-

Aliases :

Klez.E, I-Worm.Klez.E, Stemdil, W95/Klez.E@mm

Summary

Klez.E will destroy data on 6th of July by overwriting all files on local and network drives with random data.

The description of the original Klez variant can be found here:

https://europe.f-secure.com/v-descs/klez.shtml

Removal

Disinfection of Klez.E worm can be performed with the special tool that is available on our ftp site:

ftp://ftp.europe.f-secure.com/anti-virus/tools/kleztool.zip

Please read the KLEZTOOL.TXT file included in the ZIP archive before using the tool.

Removal help with Video

We have produced an online video showing step-by-step how to get rid of the Klez worm.

View the video (Real) from here:

https://www.f-secure.com/virus-info/video/klez.ram

You can download RealPlayer from here:

https://www.real.com/player/index.html?lang=en

For feedback on the video or further questions, contact support@f-secure.com

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Klez.E is a new variant of Klez worm that was first discovered on 17th of January 2002. The worm is "version 2.0" according to its author's classification and has several new features comparing to the older variants. The worm still has bugs that remained from previous versions.

The differences from the original version are as follows:

1. The worm installs itself to Windows System directory as WINKxxxx.EXE file. The 'xxxx' can be 2-3 random letters. The worm creates an autostarting key for its file in System Registry.

2. The worm now has file infection capabilities. When infecting an EXE file, the worm overwrites it and creates a backup file with the same name as the infected file, but with a random extension with hidden, system and read-only attributes. When the infected file is run, the worm extracts the original program from a backup file with its original name plus 'MP8' and runs it. After the program terminates, the worm deletes it. The worm doesn't infect files with the following names:

 EXPLORER
CMMGR
MSIMN
ICWCONN
WINZIP

This type of infection is called 'companion infection'.

3. The worm has network spreading capabilities. The worm enumerates network resources and copies itself to remote drives twice - once as an executable file with single or double extension, and second time as a RAR archive that can have single or double extension as well. The RAR archive contains the worm's executable file with one of the following names:

 setup
install
demo
snoopy
picacu
kitty
play
rock

The first extension of the RAR archive or of the worm's executable can be:

 .txt
.htm
.html
.wab
.doc
.xls
.jpg
.cpp
.c
.pas
.mpg
.mpeg
.bak
.mp3

The second or the only extension of the worm's executable file can be:

 .exe
.scr
.pif
.bat

The dropped RAR archive and worm's executable file name is either random or belongs to a file, that a worm found on a host system. So it can be for example QQ.PAS.EXE , KERNEL.MP3.PIF , DOCUMENT.SCR and so on.

4. The worm kills tasks of anti-virus and security software as well as tasks of several other worms - Nimda, Sircam, Funlove and CodeRed. The worm opens processes and looks for the specific text strings there. If a specific text string is found in a process, the worm terminates this process. The strings the worm looks for are:

 Sircam
Nimda
CodeRed
WQKMM3878
GRIEF3878
Fun Loving Criminal
Norton
Mcafee
Antivir
Avconsol
F-STOPW
F-Secure
Sophos
virus
AVP Monitor
AVP Updates
InoculateIT
PC-cillin
Symantec
Trend Micro
F-PROT
NOD32

Also the worm terminates processes with the following names:

_AVP32
_AVPCC
NOD32
NPSSVC
NRESQ32
NSCHED32
NSCHEDNT
 NSPLUGIN
NAV NAVAPSVC
NAVAPW32
NAVLU32
NAVRUNR
NAVW32
 _AVPM
ALERTSVC
AMON
AVP32
AVPCC
AVPM
N32SCANW
NAVWNT
 ANTIVIR
AVPUPD
AVGCTRL
AVWIN95 SCAN32
VSHWIN32
F-STOPW
 F-PROT95
ACKWIN32
VETTRAY
VET95
SWEEP95
PCCWIN98
IOMON98
 AVPTC
AVE32
AVCONSOL
FP-WIN
DVP95
F-AGNT95
CLAW95
NVC95
 SCAN
VIRUS
LOCKDOWN2000
Norton
Mcafee
Antivir
TASKMGR

5. The worm removes autostarting Registry keys of security and anti-virus software thus disabling this software or parts of it completely on next Windows startup.

6. The worm affects anti-virus checksum files and ingegrity checker databases with the following names:

 ANTI-VIR.DAT
CHKLIST.DAT
CHKLIST.MS
CHKLIST.CPS
CHKLIST.TAV
IVB.NTZ
SMARTCHK.MS
SMARTCHK.CPS
AVGQT.DAT
AGUARD.DAT

7. The worm drops a new version of Elkern virus ("version 1.1" according to author's classification) that is also known as Win32.Klez.b. Please see Elkern description for more info, the link to it is on the top of this page.

8. The worm can corrupt binary executables and data files.

9. The worm contains the following text strings that are never displayed:

 Win32 Klez V2.0 & Win32 Elkern V1.1,(There nick name is Twin Virus*^__^*)
Copyright,made in Asia,announcement:
1.I will try my best to protect the user from some vicious

virus,Funlove,Sircam,Nimda,CodeRed and even include W32.Klez 1.X.
2.Well paid jobs are wanted
3.Poor life should be unblessed
4.Don't accuse me.Please accuse the unfair sh*t world

10. The worm has a complex payload routine. It works as a separate thread and constantly checks system date. If the month number is odd (1, 3, 5, etc.) and the date is equal to 6 then the worm proceeds further. It then checks if the month number is equal to 7 (July) or 1 (January) and sets a special flag if it is. Then the main payload routine is activated. It looks for all files on all local and network drives. If the month is not 1 or 7, the routine only affects files with the following extensions:

 txt
htm
html
wab
doc
xls
jpg
cpp
c
pas
mpg
mpeg
bak
mp3

Otherwise all files are affected. The worm overwrites found files with random data thus destroying their content.

11. email messages sent by Klez.e are composed according to really complex rules that makes possible of creating a large number of different messages. It can create sentences from different parts like:

 'The attachment is a very dangerous virus that spread trough email.'
'The file is a special dangerous virus that can infect on Win98/Me/2000/XP.'

Just like the other variants of Klez this one uses the Incorrect MIME Header (MS01-020) vulnerabilty to send attachments that are automatically executed when the message is opened. See the link to Microsoft security advisory above.

Recipients' email addresses are collected from the Windows Address Book as well as from ICQ user databases. The worm uses it's own SMTP routines so it can send email without an email client.

Important Note: The emails sent by Klez.E worm often have faked sender's address. The worm randomly picks sender's address from web pages, ICQ databases or Windows Address Books. This means that if you get Klez.E worm in email, it's quite likely that it was NOT sent to you by the person listed in the 'From' field of email message (sender's address).

The worm can send itself in messages with one the following subjects:

	how are you 	let's be friends 	darling 	don't drink too much 	your password 	honey 	some questions 	please try again 	welcome to my hometown 	the Garden of Eden 	introduction on ADSL 	meeting notice 	questionnaire 	congratulations 	sos! 	japanese girl VS playboy 	look,my beautiful girl friend 	eager to see you 	spice girls' vocal concert 	japanese lass' sexy pictures 	 	

Also the worm sometimes sends messages pretending to be infection removal tools from a few anti-virus companies. For example:

	Subject:  removal tools 	Body: 	 is a dangerous virus that spread through email. 	 give you the  removal tools  	For more information,please visit http://www..com  

The <av_company_name> can be 'Symantec', 'Mcafee', 'F-Secure' or 'Sophos'. The <virusname> can be 'W32.Elkern' or 'W32.Klez'. Do not run attachments from such messages!

Also the worm can pretend to be a game, it can send itself (usually as SETUP.EXE or INSTALL.EXE) with the a message:

	Subject:
removal tools 	Body: 	 is a dangerous virus that spread through email. 	 give you the
removal tools
	For more information,please visit http://www..com

Sometimes the virus compares current date against a preset list of 10 different holiday dates. If the date matches, the worm will send an email with a subject field such as "Happy Christmas", "Have a nice Christmas" or "Have a good Christmas". There are several variations on the exact subject field.

This only happens on one day per year for each of the holidays - for Christmas, Klez only tries to send these messages on 25th of December. Explanation for getting these messages before Christmas is simply that lots of people have their computers date set wrong.

The holidays are:

	Subject:
removal tools 	Body: 	 is a dangerous virus that spread through email. 	 give you the
removal tools
	For more information,please visit http://www..com

Here are the screenshots of Klez.E worm as it arrives in email:

12. The worm corrupts a lot of system files including DLL and VXD ones that often makes a system unusable after restart. The corruption happens because the worm tries to preserve the time/date stamp of a file it tries to infect and it saves this value into EXE file header without bothering to check if it's a PE, NE or LE header. So NE and LE headers get corrupted and a file usually becomes unusable after that.