McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Klaz (F-Secure)

• TROJ_KLEZ.C (Trend)

• W32.Klez.D@mm (NAV)

• W32/Klez (Panda)

• W32/Klez.a@MM

• W32/Klez.b@MM

• W32/Klez.dam

• W32/Klez.eml

• W32/Klez.rar

• W32/Klez@MM

• Win32.Klez.D@mm (AVX)

Characteristics

Later versions of this virus (please check the description for W32/Klez.e@MM) have the ability to spoof the email from field. Below is a general description about the Klez worm family.

This worm makes use of the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability in Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2)

It arrives in an email message containing the following information:

From: king@21cn.com
or From: flag@21cn.com
or From: super@21cn.com
or From: zhangcheng77@online.sh.cn
or From: broused@online.sh.cn
or From: lbhuangsy@21cn.com
or From: kqlbaby@21cn.com
or From: jiemin@citiz.net
or From: feiyiming@citiz.net
or From: lllwww@online.sh.cn
or From: tomyjiang18@21cn.com
or From: luxianchu@21cn.com
or From: kqlbaby@21cn.comlin
or From: yuezhi@citiz.net
or From: zhangcheng77@online.sh.cn
or From: zbzwy@21cn.com
or From: sarge2010@21cn.com

Subject: Hello
or Subject: How are you?
or Subject: Can you help me?
or Subject: We want peace
or Subject: Where will you go?
or Subject: Congratulations
or Subject: Don't cry
or Subject: Look at the pretty
or Subject: Some advice on your shortcoming
or Subject: Free XXX Pictures
or Subject: A free hot porn site
or Subject: Why don't you reply to me?
or Subject: How about have dinner with me together?
or Subject: Never kiss a stranger

Body: (The text is hidden from HTML capable mail clients as it is within HTML COMMENT tags)
I'm sorry to do so,but it's helpless to say sorry. I want a good job,I must support my parents. Now you have seen my technical capabilities. How much my year-salary now? NO more than $5,500. What do you think of this fact? Don't call my names,I have no hostility. Can you help me?

Attachment: Varies

When run, the worm creates a copy of itself in the Windows system folder called KRN132.EXE and creates a registry run key to load itself at startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run\Krn132=C:\WINDOWS\SYSTEM\krn132.exe

The worm contains a virus called W95/Elkern.cav which is dropped into the Windows system folder with WQK.EXE and the following registry run key is created:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run\WQK=C:\WINDOWS\SYSTEM\WQK.EXE

Read a description of W95/Elkern.cav: W95/Elkern.cav

The worm contains code that enumerates network resources looking for open shares to infect. This enumeration is repeated at 8 hourly intervals. The worm also contains code to scan mapped drives, but due to a bug it only scans drive A:, the check fails because drive A: is not normally a fixed or remote drive.

Symptoms

Presence of a file called KRN132.EXE in the WINDOWS SYSTEM folder

Method of Infection

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

• W32/Klez.d@MM

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Klaz (F-Secure)

• TROJ_KLEZ.C (Trend)

• W32.Klez.D@mm (NAV)

• W32/Klez (Panda)

• W32/Klez.a@MM

• W32/Klez.b@MM

• W32/Klez.dam

• W32/Klez.eml

• W32/Klez.rar

• W32/Klez@MM

• Win32.Klez.D@mm (AVX)

Characteristics

Characteristics -

Later versions of this virus (please check the description for W32/Klez.e@MM) have the ability to spoof the email from field. Below is a general description about the Klez worm family.

This worm makes use of the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability in Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2)

It arrives in an email message containing the following information:

From: king@21cn.com
or From: flag@21cn.com
or From: super@21cn.com
or From: zhangcheng77@online.sh.cn
or From: broused@online.sh.cn
or From: lbhuangsy@21cn.com
or From: kqlbaby@21cn.com
or From: jiemin@citiz.net
or From: feiyiming@citiz.net
or From: lllwww@online.sh.cn
or From: tomyjiang18@21cn.com
or From: luxianchu@21cn.com
or From: kqlbaby@21cn.comlin
or From: yuezhi@citiz.net
or From: zhangcheng77@online.sh.cn
or From: zbzwy@21cn.com
or From: sarge2010@21cn.com

Subject: Hello
or Subject: How are you?
or Subject: Can you help me?
or Subject: We want peace
or Subject: Where will you go?
or Subject: Congratulations
or Subject: Don't cry
or Subject: Look at the pretty
or Subject: Some advice on your shortcoming
or Subject: Free XXX Pictures
or Subject: A free hot porn site
or Subject: Why don't you reply to me?
or Subject: How about have dinner with me together?
or Subject: Never kiss a stranger

Body: (The text is hidden from HTML capable mail clients as it is within HTML COMMENT tags)
I'm sorry to do so,but it's helpless to say sorry. I want a good job,I must support my parents. Now you have seen my technical capabilities. How much my year-salary now? NO more than $5,500. What do you think of this fact? Don't call my names,I have no hostility. Can you help me?

Attachment: Varies

When run, the worm creates a copy of itself in the Windows system folder called KRN132.EXE and creates a registry run key to load itself at startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run\Krn132=C:\WINDOWS\SYSTEM\krn132.exe

The worm contains a virus called W95/Elkern.cav which is dropped into the Windows system folder with WQK.EXE and the following registry run key is created:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run\WQK=C:\WINDOWS\SYSTEM\WQK.EXE

Read a description of W95/Elkern.cav: W95/Elkern.cav

The worm contains code that enumerates network resources looking for open shares to infect. This enumeration is repeated at 8 hourly intervals. The worm also contains code to scan mapped drives, but due to a bug it only scans drive A:, the check fails because drive A: is not normally a fixed or remote drive.

Symptoms

Symptoms -

Presence of a file called KRN132.EXE in the WINDOWS SYSTEM folder

Method of Infection

Method of Infection -

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

• W32/Klez.d@MM