My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Klez.A@mm

LOW
MEDIUM
57345 bytes
(N/A)

Symptoms

-the presence of the wqk.exe file in the System folder

Removal instructions:

The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus.

Important: You will have to close all applications before running the
tool (including the antivirus shields) and to restart the computer afterwards.
Additionally you'll have to manually delete the infected files located in archives
and the infected messages from your mail client.


The BitDefender AntiKlez tool does the following:
  • it detects all the known Klez versions (A, B, C, D, E, G, H);

  • it deletes the files infected with Win32.Klez;

  • it disinfects the files detected as Elkern (A, B, C);

  • it kills the process from memory;

  • it repairs the Windows registry.


  • You may also need to restore the affected files.

    Analyzed By

    Costin Ionescu BitDefender Virus Researcher

    Technical Description:

    This virus is an Internet worm capable of spreading through the local network also. The infected mails include the virus as attachment with a random name (but with an .exe extension). The email has the follwoing format:

    Subject:
    Hello
    How are you?
    Can you help me?
    We want peace
    Where will you go?
    Congratulations!!!
    Don\'t cry
    Look at the pretty
    Some advice on your shortcoming
    Free XXX Pictures
    A free hot porn site
    Why don't you reply to me?
    How about have dinner with me together?
    Never kiss a stranger


    Body:

    I'm sorry to do so, but it's helpless to say sorry.
    I want a good job, I must support my parents.
    Now you have seen my technical capabilities.
    How much my year-salary now? NO more than $5,500.
    What do you think of this fact?
    Don't call my names, I have no hostility.
    Can you help me?


    It uses an exploit (a security hole) which allows the attachment to be executed when viewing the message with Outlook Express or Outlook (without ServicePacks installed). This method is similar to the one used by Nimda or Kak worms. You can find description and patch for the IFRAME exploit at this link:
    http://www.microsoft.com/windows/ie/downloads/critical/q290108/default.asp
    The e-mail message does not look as if coming from an infected person, but from different addresses among which are the following:


    king@21cn.com
    flag@21cn.com
    super@21cn.com
    zhangcheng77@online.sh.cn
    broused@online.sh.cn
    lbhuangsy@21cn.com
    kqlbaby@21cn.com
    jiemin@citiz.net
    feiyiming@citiz.net
    lllwww@online.sh.cn
    tomyjiang18@21cn.com
    luxianchu@21cn.com
    kqlbaby@21cn.com
    lin_yuezhi@citiz.net
    zhangcheng77@online.sh.cn
    zbzwy@21cn.com
    sarge2010@21cn.com


    Once executed, the virus decrypts all series containing text (to avoid them to be seen by somebody who is trying to study what the virus includes) and is tries to hide from the application list.

    The virus creates an execution thread, which monitors all running applications, and if there are any applications belonging to an antivirus program, it closes them.

    The next thing the virus does is creating a file named wqk.exe in the system directory, which includes the Win32.Elkern.A virus, which it kept compressed in its body. This virus is a file infector that runs on Windows 98 or Windows Me.

    After creating the wqk.exe file, the worm executes it and copies itself in the whole Windows system directory under the name krn132.exe and creates a key in the registry:
    HKEY_LOCAL_MACHINE\ Software\Microsoft\Windows\CurrentVersion\Run\Krn132
    using as value the path to this file, allowing it to be reactivated every time Windows is started.

    The virus launches other execution threads:one for infection through Internet, one for network infection and other 26 to scan through each drive searching for files with one of the following extensions: txt, htm, doc, jpg, bmp, xls, cpp, html, mpg, mpeg.

    The thread dedicated to Internet infection searches for all contacts in Outlook Address Book and generates a maximum of 10 e-mail addresses with a random name but ending in @yahoo.com, @hotmail.com or @sina.com.

    In order to send messages to these addresses it also generates a SMTP server list using the domain name from the e-mail addresses and adding the .smtp prefix. For example, if the e-mail address list includes an address like contact@domain.com

    The virus will include in the SMTP server list: stmp.domain.com.

    The thread for network infection reactivates every 8 hours and scans the network, leaving in certain shared directories copies of the virus, but bearing an apparently random name and a double extension. This name is actually the name of the last file that the execution threads scanning the local disks went over, adding to it the extension .exe.

    If the system's set date is an uneven month (January, March, etc) and the day is 13th, the virus starts its payload routine scanning local disks (or drives mapped from the network) and fills the files it finds with random data, permanently destroying them.