PPRuNe Forums - View Single Post - W32/Klez-G Virus
Thread: W32/Klez-G Virus
View Single Post
Old 30th Apr 2002, 14:34
  #1 (permalink)  
JB007

PPRuNe Secret Agent!



Moderator
 
Join Date: Nov 1999
Location: West Sussex, UK
Posts: 1,546
Likes: 0
Received 0 Likes on 0 Posts
W32/Klez-G Virus
I got this from out IT dept. at work - don't understand most of what he's waffling about but the subject lines are worth noting - I've already had on of these bug*ers in my PPRuNe inbox using the first subject line - "A Nice Game"

W32/Klez-G is a slight modification of Worm/Klez-A and is an Internet worm capable of spreading through the local network under Windows 32-bit systems and infecting EXE Files. In order to be able to remain as a resident virus in the workspace, it infects the file KERNEL32.DLL.

Like other variations, the worm arrives through e-mail in the following format:

Subject Lines include (but not limited too):
- Fw: A nice game
- Re: A WinXP patch
- Re: Good removal tools
- Fw: A humour website
- how are you
- For more information, please visit

Body Text (examples):
- This is a nice game
This is my first work.
Your're the first player.
I would expect you would enjoy it

- Hello,This is a humour game
This game is my first work.
You're the first player.
I expect you would like it.

Attachment (examples):
- kitty.exe
- rock.exe
- play.scr

Worm/Klez.G utilizes its own SMTP engine for replication. In addition to collecting email address from an infected users address book and those contacts listed within instant messenging database, files that are likely to
contain email addresses that have the following extensions will also be searched:
*.asp, *.bat, *.doc, *.exe, *.htm, *.html, *.jpeg, *.mp3, *.pdf, *.rtf,
*.txt, and *.xls

The virus creates an execution thread, which monitors all running
applications, and if there are any applications belonging to a real-time anti-virus program, it closes them and removes the corresponding key from the registry.

The next thing the virus does is creating a file named wqk.exe and
wink**.exe (where "**" are randome characters in the system directory, which includes the Win32.Elkern.A virus, which it kept compressed in its body.
This virus is a file infector that runs on Windows 98 or Windows Me.

It uses an exploit (a security hole) that allows the attachment to be executed when viewing the message with Microsoft Outlook Express or Outlook (without Service Packs installed). This method is similar to the one used by Nimda or Kak worms.

Microsoft has issued a patch which protects users against this
vulnerability. It can be downloaded from
http://www.microsoft.com/technet/sec...n/MS01-020.asp
JB007 is offline