Klez/Elkern worm
Description: Klez is a mass mailer that was first
reported in October '01. In May '02, Klez became the most
prevalent malware of all times! There are a few variants
of Klez now in the wild, and all except the H variant have
a destructive payload.
Propagation: Klez propagates through e-mail, taking
advantage of the 'incorrect MIME header vunerability' in
Internet Explorer to automatically open the virus code,
when viewing the message in
the preview pane of Outlook/OE. When the code is executed,
it then drops the Elkern worm, in addition to copying itself
to the system directory. Klez and Elkern are both network
aware and will infect
every computer that has unprotected shared drives to which
there is access with write permission. A deceitful 'feature'
of Klez is the spoofing of the 'From' address from which
the infected e-mail
is apparently sent. The faked address is picked at random
from Internet files on the victim's PC, which are likely
to contain e-mail addresses. Therefore, Klez infected e-mail
is virtually never from whom appears to have sent it.
The downside of the address spoofing is a significant increase
in junk e-mail traffic. Worse, Klez deliberately mocks the
antivirus industry and uses its products as massive spam
and junk e-mail generators. AV products use to automatically
scan e-mail and alert the senders of infected mail with
self advertising stuff. Due to Klez's spoofing, innocent
posters now receive loads of these spam/alert messages,
for a virus that they never sent!
Klez installs itself by dropping the wink*.exe driver
in the system directory, and adding the file to the registry
machine run startup list. Klez uses any or either of the
following filenames: Wink*.exe (where * are random characters,
Winkirk.exe for example), Krn132.exe, and/or Wqk.exe
and Wqk.dll.
Giveaway: On activation, Klez disables the real-time
protections of all major AV. The disappearing of the Interceptor
icon, combined with the presence of a file matching the
wink*.exe spec in the system directory, are unmistakable
giveaways that Klez is active on that PC.
Payload: All Klez variants (except the last 'h'
one, and most widespread) have a destructive payload that
triggers on the sixth of odd-numbered months (January, March
... etc.). On that date, the worm trashes MS Office files
like docs, worksheets,
presentations, as well as files having the following extension:
txt, htm, html, wab, jpg, cpp, c, pas, mpg, mpeg, bak, and
mp3. On January and July 6, Klez deletes all files on accessible
drives, whether local or remote (network)! Files that were
damaged by the Klez payload cannot be recovered.
Detection/Prevention: IV Interceptor intercepts
Klez/Elkern when attempting to install itself, and removes
the bogus registry entry in real time, preventing the initialization
of the worm. Users of InVircible are protected against the
klez worm.
Internet Explorer patch and security settings: Users
of Internet Explorer, all versions, are strongly advised
to install the MS cumulative security patch from the
Microsoft
site. Users are also advised to tighten security
by setting Outlook's / Outlook
Express' security to "restricted zone" and to
switch off the Outlook/OE preview pane (View / Layout)!
Without the patch and proper security settings, the computer
is not safe and will become infected just on browsing infected
e-mail with the preview pane, without even opening the bogus
message!
Back
