Win32.Klez.E@mm( W32/Klez )
SYMPTOMS: - Files wqk.exe and Winq???.exe in the system folder (usually C:\Windows\System);TECHNICAL DESCRIPTION: This new version of Klez comes as an executable file attached to the infected mail and has a random name. The mail contains the same exploit as its predecessors. The mail can have several formats and contains the texts in subject and body:- Hi, - Hello, - Re: - Fw: - Undeliverable mail—“ - Returned mail—“ - 'a %s %s game - 'a %s %s tool - 'a %s %s website - 'a %s %s patch - '%s removal tools where %s is one of the next text: - new - funny - nice - humour - excite - good - powful - WinXP - IE 6.0 - W32.Elkern - W32.Klez Or: - how are you - let's be friends - darling - don't drink too much - your password - honey - some questions - please try again - welcome to my hometown - the Garden of Eden - introduction on ADSL - meeting notice - questionnaire - congratulations - sos! - Japanese girl VS playboy - look,my beautiful girl friend - eager to see you - spice girls vocal concert', - Japanese lass’ sexy pictures - The following mail can't be sent to - The attachment - The file - is the original mail - give you the - is a - can infect on Win98/Me/2000/XP. - spread through email. - For more information,please visit - This is - I - Christmas - New year - Saint Valentine’s Day - Allhallowmas - April Fools’ Day - Lady Day - Assumption - Candlemas - All Souls’Day The virus attempts to remove from memory more viruses than its previous version and even its earlier version. It also spreads through shares in the local network by dropping a file with the name one of: - setup - install - demo - snoopy - picacu - kitty - play - rock and an executable extension (bat, exe, scr). Or a RAR archive with a random name which contains the file specified above. Also, it contains the file infector Win32.Elkern.B, a new version of Win32.Elkern.A, which will be dropped and executed as the file %system%\wqk.exe The virus contains the text: Win32 Klez V2.0 & Win32 Elkern V1.1,(There nick name is Twin Virus*^__^*) Copyright,made in Asia,announcement: 1.I will try my best to protect the user from some vicious virus,Funlove,Sircam,Nimda,CodeRed and even include W32.Klez 1.X. 2.Well paid jobs are wanted 3.Poor life should be unblessed 4.Don't accuse me.Please accuse the unfair s**t world Removal instructions: The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus.Important: You will have to close all applications before running the tool (including the antivirus shields) and to restart the computer afterwards. Additionally you'll have to manually delete the infected files located in archives and the infected messages from your mail client. The BitDefender AntiKlez tool does the following: You may also need to restore the affected files. ANALYZED BY: Costin Ionescu BitDefender Virus Researcher |
