ZDNet UK

CBS INTERACTIVE UK BUSINESS SITES:
BNET UK
silicon.com
ZDNet.co.uk

You are here: ZDNet.co.uk > Resources > Articles > Tutorials

Security management Toolkit

Klez worm set to detonate

Robert Vamosi ZDNet US

Published: 06 Mar 2002 09:42 GMT

A new version of an old worm is set to trigger its destructive payload on March 6. Klez.E (w32.Klez.E@mm) is sometimes called the Twin Virus because the worm is used to spread an upgraded version of the ElKern virus (w32.elkern.b). The new version can now infect Windows 98, Me, 2000, and XP, attempting to corrupt files on these systems without changing their sizes. Klez.E is currently one of the fastest spreading worms on the Internet and now ranks 7 on the ZDNet Virus Meter.

How it works
Klez.E arrives by email or can be spread by sharing infected files on a network. If it arrives by email, the subject line is randomly chosen from the following list: How are you; Let's be friends; Darling; Don't drink too much; Your password; Honey; Some questions; Please try again; Welcome to my hometown; the Garden of Eden; introduction on ADSL; Meeting notice; Questionnaire; Congratulations; Sos!; japanese girl VS playboy; Look,my beautiful girl friend; Eager to see you; Spice girls' vocal concert; Japanese lass' sexy pictures.

The body text may be blank. The attached filename itself is random with either a PIF, SCR, EXE, or BAT extension.

Like several other recent worms, Klez.E also attempts to disable antivirus software installed on the infected computer. For more details regarding the original Klez worm, see this alert.

The big difference with Klez.E is that it drops an upgraded version of the ElKern virus into infected machines. ElKern.B (w32.elkern.b) now runs under Windows 98, Me, 2000, and XP. ElKern.B adds a hidden file, wqk.exe, to Registry entry HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WQK, which is in Windows 98 and Me. Under Windows 2000 and XP, it adds wqk.dll to Registry key HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Windows\AppInit_DLLs. These files are added so that ElKern.B runs anytime Windows is run. ElKern.B can corrupt files without changing the files' sizes.

Prevention
Klez.E uses a well-known vulnerability in Outlook Express that is included in versions of Internet Explorer 5.01 and 5.5. Microsoft has previously released a patch for this. Users who have not loaded the patch are encouraged to do so or to upgrade to Internet Explorer 6 using the full installation setting.

Removal
Most antivirus software companies have updated their signature files to include Klez.E. Updating these files will stop the infection upon contact and, in some cases, will remove an active infection from your system.

For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Viruses and Hacking News Section.

Have your say instantly, and see what others have said. Go to the Security forum.

Let the editors know what you think in the Mailroom.

Did you find this article useful?
14 out of 22 people found this useful

More In Security management

Company/Topic Alerts

Create a new alert from the list below:

Install Flash Player Plugin

Featured Talkback

It seems to me this is a burden being placed on the wrong shoulders. There is not an It system in the world that can stop an individual taking information in their heads and spewing out at the nearest undesirable third party.