The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus. Important: You will have to close all applications before running the tool (including the antivirus shields) and to restart the computer afterwards. Additionally you'll have to manually delete the infected files located in archives and the infected messages from your mail client.
The BitDefender AntiElkern.exe
tool does the following:
it detects all the known Elkern versions;
it disinfects the files detected as Win32.Elkern.A (A,B,C,D,E,G,H);
it kills the process from memory;
it repairs the Windows registry.
You may also need to restore the affected files.
For preventing this virus to use the IFRAME
exploit apply the patch
for Internet Explorer 5.0 and 5.5.
To prevent the virus from replicating itself from infected machines to clean machines, you should try to disinfect all computers in the network before rebooting any of them, or unplug the network cables.
Costin Ionescu BitDefender Virus Researcher
This virus is a file infector that spreads with the help of Win32.Klez.A@mm, being included in this worm. It runs on 98 and ME Windows platforms.
When executed, the virus copies the host in the Windows system directory under the name wqk (extension .exe or .dll) and writes the following key in the registry:
using as value the path to the copied file, allowing it to be reactivated every time Windows is started. The virus remains active, hiding from the application list, and searching for files to infect.
File infection is accomplished searching for cavities in the host file to avoid increasing file size, and if this cannot be done then the last section of the executable will be extended to include the virus body. At the same time, the virus is capable of infecting the local network.
The spreading potential of the virus is increased because the virus is also transmitted by the Win32.Klez.A@mm worm, which is a mass-mailer and network infector.
In order to make detection more difficult, the virus uses some of its body layers in encrypted form, and the names of the system functions it uses are not included in it, integrating only a checksum associated to each name. In order to use these functions it calculates a checksum for each name of the system function, and when the virus finds this checksum in its list, it takes out the function's address to use it.