When we originally got the sample of Klez worm, we found out that it dropped this virus to a system. The virus then lived its own life not dependant on the worm.
It should be noted that the virus doesn't work on any operating system except Windows 98 because of a serious bug in its code. Due to some blind luck, the virus also works on Windows 2000.
The virus consists of 4 main parts - initial decryptor, startup code, the API table and the main code. When the virus code gets control, the initial decryptor which is low-polymorphic, decrypts the startup code code and passes control to it.
The virus locates KERNEL32.DLL library by scanning Windows memory and gets API addresses of 27 Windows functions. The virus then allocates a block of memory for itself and copies its body in several parts there. The structure looks like:
----------------------- Initial Decryptor
----------------------- Startup Code
----------------------- API Table
If the virus is started from an infected file, it 'assembles' its main code by copying parts of it from between file sections (cavity infection). Then the virus decrypts its main body, erases its previous encryption keys and passes control to the main code. The virus uses variable key encryption to encrypt/decrypt its main body.
When the main code gets control, the first thing is does is calls the IsDebuggerPresent API function. But the virus calls this function using a fixed API address and this address is only valid for Windows 98. On all other systems the virus just crashes. The virus starts itself as a service process and therefore its task is not visible is Task List.
On Windows 98 systems, the virus copies the file it was started from (either infected file or a dropper) to Windows system directory with the WQK.EXE name, sets hidden, system and read-only attribute to it and then creates a startup key in the Registry to activate the dropper next time Windows starts. On Win9x the virus creates the 'WQK' subkey in the following key:
On Windows NT and 2000 the virus was supposed to drop itself asWQK.DLL file into Windows system (\System32\) folder and to create a startup subkey 'AppInit_DLLs' in the following key:
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
On Windows NT this doesn't happen because the virus crashes. Due to a dumb luck, the virus doesn't crash on Windows 2000 though it calls a non-existing API address.
Then the virus starts to look for executable files on local and network drives and shares and infect them preserving files' time and attributes. Only PE EXE and SCR files are infected.
The virus generates a different key for its main code encryption and also generates a low-polymorphic initial decryptor to infect a file. The infection is appending and the virus tries to use gaps between file sections to write small parts of its code there (cavity infecton). Because of this the infection size is variable. The entry point of an infected program is redirected to the initial virus decryptor.
The Elkern.B virus appeared with the sample of Klez.E worm on 17th of January 2002. The virus is 'version 1.1' according to author's classification. No major improvements were made comparing to an earlier version and no major bugs were fixed. The virus still crashes under any operating system except Windows 98 and 2000 due to a bad API address call.
The Elkern.C virus was first introduced by Klez.H worm. The worm created the virus's dropper with a random name in \Program Files\ folder and activated it. Then the virus lived its own life. The .C virus variant is based on previous Elkern variants, a few minor changes were made including fixing of a bug.