Description
At present there are nine versions of the worm. Only four of them have been met in the wild:
Win32.HLLM.Klez.61440 (Klez.B) : end of October, 2001 - November 2001
Win32.HLLM.Klez.1 (Klez.E) : end of January 2001 - present
Win32.HLLM.Klez.2 (Klez.G) : February 2001 - April 2002
Win32.HLLM.Klez.4 (Klez.H) : April, 17 2002 - present
This description presents Win32.HLLM.Klez.1-Win32.HLLM.Klez.5. Differences, if any, are described below.
Win32.HLLM.Klez.4 is a mass-mailing worm which infects computers under Windows Operating Systems.
Its copies are propagated via e-mail and through local network infecting computers with shared drives with write access.
Launching
To infect the target system the worm uses a well-known MS Internet Explorer vulnerability - the so called Incorrect MIME Header which allows a program file (containing a virus program) to automatically run even on message previewing in such mail clients as MS Outlook and MS Outlook Express (versions 5.01 and 5.5).
With all the patches installed, your computer can get infected only if you double-click the attachment containing the worm program.
Spreading
Having infected the computer, the worm e-mails itself to all the addresses found in the Windows Address Book and in local files.
Due to its ability to spoof not only [To:] but also [From:] field with e-mail addresses found in the infected computer the e-mail recipient can easily be confused as to the actual sender of the infected message.
Subject field of the message as well as the message body itself have more or less meaningful wordings, for example:
Subject: A IE 6.0 patch
Mesage body:
Hello,This is a IE 6.0 patch I expect you would like it.Subject: A special excite game
Mesage body:
This is a special excite game This game is my first work. You\'re the first player. I hope you would like it.Subject: W32.Elkern removal tools
Mesage body:
W32.Elkern is a dangerous virus that can infect on Win98/Me/2000/XP. Symantec give you the W32.Elkern removal tools For more information,please visit http://www.Symantec.com
In doing this the worm uses ready-made message templates and different variants of textual strings to fill them in. Besides, it can use randomly chosen textual strings as well. The message body can also be empty.
Its mass mailing from the user’s computer may cause breach of confidentiality, as the worm includes in its every letter one of the user’s data files randomly chosen from the files in the infected computer thus causing confidential information leakage.
Action
When run Win32.HLLM.Klez.4 copies itself to Windows System directory as a randomly named .exe file starting with “wink”. Then, for this newly created copy of the virus a registry key with the same name is set in
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run ,
so that the virus is executed every time you boot.
Under Windows\'NT/2000 the worm makes use of another boot routine and registers itself as a system service in the string
HKLM\\System\\CurrentControlSet\\Services\\
More to that, the worm creates its copies on local and network drives, infects RAR archives by overwriting them with its copies with random names and also infects applications registered in the system using companion-virus technique: it saves a copy of the application host file (previously having encoded it) and then overwrites it with its own code.
Besides, Win32.HLLM.Klez.4 acts as a dropper of a file virus - Win32.Klez.xxxx
Having hit a system the worm unpacks this viral program and runs it. After that the virus begins to self-spread.
Depending on the worm variant it drops one of the following Win32.Klez.xxxx file infecting virus:
Win32.Klez.3326 Win32.Klez.4219 Win32.Klez.4926Win32.Klez is a Windows- resident virus, and infects files with extensions .EXE and .SCR on local and network drives. The virus does not have any evident manifestations.
