Threat Center Threats Explained Threat Encyclopedia Threat Blog Security Tips Case Studies White Papers Newsletter Signup
 

Win32/Klez.J


Aliases: I-Worm/Klez.H, W32/Klez.H@mm

On April 17th, 2002 a new variant of the worm Klez specified as Win32/Klez.J started to spread extensively. T he worm exploits a security vulnerability in Microsoft Outlook and Outlook Express.  The description of the bug can be found at www.microsoft.com/technet/treeview/default.asp?url=/technet/security /bulletin/MS01-020.asp.  On computers that have not been patched the worm may be activated already by displaying the message overview.
The worm spreads by means of email messages.  It creates the message subject randomly from pre-defined expressions and in some cases from names of accounts of addresses for email.  The message body is generated from pre-defined strings.
After being activated the worm copies itself as the file wink*.exe into the subdirectory SYSTEM (Windows 9x) or SYSTEM32 (Windows NT/2000) in the directory with the operating system Windows.  Instead of the character "*" random characters are used.  To ensure its activation after the system restart the worm creates a key in the system registry in HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
The worm actively fights against the best known resident anti-virus programs – it terminates their processes, deletes files anti-vir.dat, chklist.dat, chklist.ms, chklist.cps, chklist.tav, ivb.ntz, smartchk.ms, amartchk.cps, avgqt.dat and aguard.dat.  These files contain checksums of files on various media created by anti-virus programs and serve for checking the files integrity and in some cases for reconstruction if an alternation has occurred.
The worm is able to spread on local computer networks to all disks that are available from the infected computer.
To spread further the worm looks for addresses in the email Windows address book, in the ICQ contacts and in other files that usually contain addresses of this type (e.g. files with extensions htm, html, asp etc.). To spread the worm uses its own SMTP server; to its copy it attaches random documents present on the infected computer.
The worm installs the virus Win32/ElKern.C into the system.
The anti-virus system Nod32 detects this worm starting from the version 1.246 of the virus database.



PROTECT YOUR COMPUTER!
ESETs NOD32 antivirus software provides comprehensive, easy-to-use, and affordable protection from todays and tomorrows threats. We put the malware expert inside the software, so you don’t have to become one.

DOWNLOAD ESET NOD32 ANTI VIRUS SOFTWARE

 

 
Top of Page Back One Page Print this Page