McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Elkern (F-Secure)

• W32.ElKern.3326 (NAV)

• W32/Elkern.cav.c

• W32/UseMem (H+BEDV)

• W95/Elkern

• Win32/Forous (InoculateIT)

• WinNT.Usem (Kaspersky)

• WinNT/Usem.A (GeCAD)

• WNT.Elkern.2372 (NAV)

Characteristics

--- Update July 12, 2002 ---
New variant appeared - W32/Elkern.cav.d which only replicates under Windows 2000. Just like other variants it uses "split cavity" infection method and uses "WQ" marker to recognise already infected files. Note that this variant is not related to any new W32/Klez variant. This new variant is detected generically since October, 2001.

--- Update June 11, 2002 ---
All W95/Elkern variants were renamed to W32/Elkern.

--- Update April 20, 2002 ---
A new variant was recently discovered (W32/Elkern.cav.c) which is dropped by a new W32/Klez variant, W32/Klez.h. W32/Elkern.cav.c detection and removal will be included in the 4198 DATs. Current DATs often detect these samples as W32/NGVCK.a or New Win32 with program heuristics.

--- Update January 24, 2002 ---
A new variant was recently discovered (W32/Elkern.cav.b) which is dropped by a new W32/Klez variant (some call it W32.Klez.E@mm). These new variants of W32/Klez and W32/Elkern both require minimum 4182 DATs for detection/removal.

The W32/Klez@MM worm carries W32/Elkern.cav virus inside and drops it when activated.

• When a virus-infected file is run on a Win98/ME system, it copies this very file to the \WINDOWS\SYSTEM folder under the name WQK.EXE (and marks it as a hidden file). So the size and contents of WQK.EXE can vary. The virus also modifies WQK.EXE file not to have any icon displayed by wiping the pointer to its resources (that is where the icons are stored).
  Then the virus adds an entry to the Registry's key to run the WQK.EXE file on every reboot.

  After a reboot the virus infects random EXE files by either expanding the last section of the host file or by going into cavities without changing the host files' size at all.

• When a virus-infected file is run on a WinNT/2000/XP system, it copies itself to the file WQK.DLL in the SYSTEM32 directory and creates a registry key value to load the virus:

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
  Windows\AppInit_DLLs=Wqk.dll

This virus is network-aware and can spread through a local network. It also contains a payload to overwrite files with zeros while maintaining the original file size. This can result in critical files being overwritten and thus an inability to load the operating system after infection occurs.

The virus can infect and does infect its own carrier - W32/Klez@MM worm. That is why files specific to both W32/Klez@MM and W32/Elkern.cav are likely to coexist on the same computer. If you suspect W32/Elkern.cav virus on your computer you are strongly advised to read a description of W32/Klez@MM.

Symptoms

- Presence of WQK.EXE or WQK.DLL in C:\WINDOWS or C:\WINDOWS\SYSTEM having "hidden" attribute.
- Changes to 32 bit PE (.EXE) files
- Inability to boot to Windows

Method of Infection

The W32/Elkern virus may be dropped by the W32/Klez@MM worm. The W32/Elkern virus infects 32 bit PE file type .EXE files on the local machine and on network drives.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

• W32/Elkern.cav.b
• W32/Elkern.cav.c
• W32/Elkern.cav.d

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Elkern (F-Secure)

• W32.ElKern.3326 (NAV)

• W32/Elkern.cav.c

• W32/UseMem (H+BEDV)

• W95/Elkern

• Win32/Forous (InoculateIT)

• WinNT.Usem (Kaspersky)

• WinNT/Usem.A (GeCAD)

• WNT.Elkern.2372 (NAV)

Characteristics

Characteristics -

--- Update July 12, 2002 ---
New variant appeared - W32/Elkern.cav.d which only replicates under Windows 2000. Just like other variants it uses "split cavity" infection method and uses "WQ" marker to recognise already infected files. Note that this variant is not related to any new W32/Klez variant. This new variant is detected generically since October, 2001.

--- Update June 11, 2002 ---
All W95/Elkern variants were renamed to W32/Elkern.

--- Update April 20, 2002 ---
A new variant was recently discovered (W32/Elkern.cav.c) which is dropped by a new W32/Klez variant, W32/Klez.h. W32/Elkern.cav.c detection and removal will be included in the 4198 DATs. Current DATs often detect these samples as W32/NGVCK.a or New Win32 with program heuristics.

--- Update January 24, 2002 ---
A new variant was recently discovered (W32/Elkern.cav.b) which is dropped by a new W32/Klez variant (some call it W32.Klez.E@mm). These new variants of W32/Klez and W32/Elkern both require minimum 4182 DATs for detection/removal.

The W32/Klez@MM worm carries W32/Elkern.cav virus inside and drops it when activated.

• When a virus-infected file is run on a Win98/ME system, it copies this very file to the \WINDOWS\SYSTEM folder under the name WQK.EXE (and marks it as a hidden file). So the size and contents of WQK.EXE can vary. The virus also modifies WQK.EXE file not to have any icon displayed by wiping the pointer to its resources (that is where the icons are stored).
  Then the virus adds an entry to the Registry's key to run the WQK.EXE file on every reboot.

  After a reboot the virus infects random EXE files by either expanding the last section of the host file or by going into cavities without changing the host files' size at all.

• When a virus-infected file is run on a WinNT/2000/XP system, it copies itself to the file WQK.DLL in the SYSTEM32 directory and creates a registry key value to load the virus:

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
  Windows\AppInit_DLLs=Wqk.dll

This virus is network-aware and can spread through a local network. It also contains a payload to overwrite files with zeros while maintaining the original file size. This can result in critical files being overwritten and thus an inability to load the operating system after infection occurs.

The virus can infect and does infect its own carrier - W32/Klez@MM worm. That is why files specific to both W32/Klez@MM and W32/Elkern.cav are likely to coexist on the same computer. If you suspect W32/Elkern.cav virus on your computer you are strongly advised to read a description of W32/Klez@MM.

Symptoms

Symptoms -

- Presence of WQK.EXE or WQK.DLL in C:\WINDOWS or C:\WINDOWS\SYSTEM having "hidden" attribute.
- Changes to 32 bit PE (.EXE) files
- Inability to boot to Windows

Method of Infection

Method of Infection -

The W32/Elkern virus may be dropped by the W32/Klez@MM worm. The W32/Elkern virus infects 32 bit PE file type .EXE files on the local machine and on network drives.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

• W32/Elkern.cav.b
• W32/Elkern.cav.c
• W32/Elkern.cav.d