Klez/Elkern worm
Description: Klez is a mass mailer that was first
reported in October '01. In May '02, Klez became the most
prevalent malware of all times! There are a few variants
of Klez now in the wild, and all except the H variant have
a destructive payload.
Propagation: Klez propagates through e-mail, taking
advantage of the 'incorrect MIME header vunerability' in
Internet Explorer to automatically open the virus code,
when viewing the message in the preview pane of Outlook/OE.
When the code is executed, it then drops the Elkern worm,
in addition to copying itself to the system directory. Klez
and Elkern are both network aware and will infect every
computer that has unprotected shared drives to which there
is access with write permission. A deceitful 'feature'
of Klez is the spoofing of the 'From' address from which
the infected e-mail is apparently sent. The faked address
is picked at random from Internet files on the victim's
PC, which are likely to contain e-mail addresses. Therefore,
Klez infected e-mail is virtually never from whom appears
to have sent it.
The downside of the address spoofing is a significant increase
in junk e-mail traffic. Worse, Klez deliberately mocks the
antivirus industry and uses its products as massive spam
and junk e-mail generators. AV products use to automatically
scan e-mail and alert the senders of infected mail with
self advertising stuff. Due to Klez's spoofing, innocent
posters now receive loads of these spam/alert messages,
for a virus that they never sent!
Klez installs itself by dropping the wink*.exe driver
in the system directory, and adding the file to the registry
machine run startup list. Klez uses any or either of the
following filenames: Wink*.exe (where * are random characters,
Winkirk.exe for example), Krn132.exe, and/or Wqk.exe
and Wqk.dll.
Giveaway: On activation, Klez disables the real-time
protections of all major AV. The disappearing of the Interceptor
icon, combined with the presence of a file matching the
wink*.exe spec in the system directory, are unmistakable
giveaways that Klez is active on that PC.
Payload: All Klez variants (except the last 'H'
one, and most widespread) have a destructive payload that
triggers on the sixth of odd-numbered months (January, March
... etc.). On that date, the worm trashes MS Office files
like docs, worksheets,
presentations, as well as files having the following extension:
txt, htm, html, wab, jpg, cpp, c, pas, mpg, mpeg, bak, and
mp3. On January and July 6, Klez deletes all files on accessible
drives, whether local or remote (network)! Files that were
damaged by the Klez payload cannot be recovered.
Detection/Prevention: IV Interceptor intercepts
Klez/Elkern when attempting to install itself, and removes
the bogus registry entry in real time, preventing the initialization
of the worm. Users of InVircible are protected against the
klez worm.
Internet Explorer patch and security settings: Users
of Internet Explorer, all versions, are strongly advised
to install the MS cumulative security patch from the
Microsoft
site. Users are also advised to tighten security
by setting Outlook's / Outlook Express' security to "restricted
zone" and to switch off the Outlook/OE preview pane
(View / Layout)! Without the patch and proper security settings,
the computer is not safe and will become infected just on
browsing infected e-mail with the preview pane, without
even opening the bogus message!
Cleaning: Users of Outlook / Outlook Express may
experience repeated popups of Interceptor messages when
exposed to a Klez attack, indicating that IV tried to open
a file named Wink*.exe (* stands for random characters).
These messages are caused by Outlook trying to automatically
open Klez infected e-mail, because of insecure settings.
To stop the popup flood, proceed as follows:
1. In Outlook Express, select Tools, then Options, and click
the Receive tag. Uncheck 'Automatically download message
when viewing in the Preview Pane' and press OK.
2. When still in OE, and with the inbox selected, open
View, then Layout, and uncheck the 'Show preview pane' checkbox.
3. The warning messages should now stop from popping up
and should let continue, uninterrupted.
InVircible automatically removes Klez when attempting
to install itself, after prompting the user.
Already infected PCs can be disinfected by aid of Klez
dedicated cleaners please contact our support team for information
on these (03)9569 8848 OR support@virusdefence.com.au.
As klez specific cleaning utilities may sometimes miss
instances of Elkern, the still infected files can then be
found and deleted by aid of an IV Audit & Integrity
scan.
The reinstallation of InVircible may be required after
having cleaned Klez/Elkern, in case Interceptor was disabled
by Klez and does not load on Windows restart.
Back
©NetZ Computing Manufacturers of InVircible
