McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32/Klez.G@mm (Norman)

• W32/Klez.gen.b@MM

• W32/Klez.gen@MM

• W32/Klez.I (Panda)

• W32/Klez.K-mm

• WORM_KLEZ.G (Trend)

Characteristics

W32/Klez.h@MM has a number of similarities to previous W32/Klez variants, for example:

• W32/Klez.h@MM makes use of Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability in Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2).
• the worm has the ability to spoof the From: field (often set to an address found on the victim's machine).
• the worm attempts to unload several processes (antivirus programs) from memory including those containing the following strings:
  • _AVP32
  • _AVPCC
  • NOD32
  • NPSSVC
  • NRESQ32
  • NSCHED32
  • NSCHEDNT
  • NSPLUGIN
  • NAV
  • NAVAPSVC
  • NAVAPW32
  • NAVLU32
  • NAVRUNR
  • NAVW32
  • _AVPM
  • ALERTSVC
  • AMON
  • AVP32
  • AVPCC
  • AVPM
  • N32SCANW
  • NAVWNT
  • ANTIVIR
  • AVPUPD
  • AVGCTRL
  • AVWIN95
  • SCAN32
  • VSHWIN32
  • F-STOPW
  • F-PROT95
  • ACKWIN32
  • VETTRAY
  • VET95
  • SWEEP95
  • PCCWIN98
  • IOMON98
  • AVPTC
  • AVE32
  • AVCONSOL
  • FP-WIN
  • DVP95
  • F-AGNT95
  • CLAW95
  • NVC95
  • SCAN
  • VIRUS
  • LOCKDOWN2000
  • Norton
  • Mcafee
  • Antivir

The worm is able to propagate over the network by copying itself to network shares (assuming sufficient permissions exist). Target filenames are chosen randomly, and can have single or double file extensions. For example:
  350.bak.scr
  bootlog.jpg
  user.xls.exe

The worm may also copy itself into RAR archives, for example:
  HREF.mpeg.rar
  HREF.txt.rar
  lmbtt.pas.rar

The worm mails itself to email addresses in the Windows Address Book, and to addresses extracted from files on the victim's machine. It arrives in an email message whose subject and body is composed from a pool of strings carried within the virus (the virus can also add other strings obtained from the local machine). For example:

Subject: A very funny website
or Subject: Undeliverable mail--
or Subject: Returned mail--
or Subject: A WinXP patch
or Subject: A IE 6.0 patch
or Subject: W32.Elkern removal tools
or Subject: W32.Klez.E removal tools

The file attachment name is again generated randomly, and ends with an .exe, .scr, .pif, or .bat extension, for example:
  ALIGN.pif
  User.bat
  line.bat

Thanks to the use of the exploit described above, simply opening or previewing the message in a vulnerable mail client can result in an infection of the victim's machine.

W32/Klez.h@MM masquerades as a free immunity tool in at least one of the messages used. Below is the message sent by the virus itself.

Subject: Worm Klez.E Immunity
Body: Klez.E is the most common world-wide spreading worm. It's very dangerous by corrupting your files. Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it.We developed this free immunity tool to defeat the malicious virus. You only need to run this tool once,and then Klez will never come into your PC. NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV monitor maybe cry when you run it. If so,Ignore the warning,and select 'continue'. If you have any question,please mail to me.

The worm may send a clean document in addition to an infected file. A document found on the hard disk, that contains one of the following extensions, is sent:

• .txt
• .htm
• .html
• .wab
• .asp
• .doc
• .rtf
• .xls
• .jpg
• .cpp
• .c
• .pas
• .mpg
• .mpeg
• .bak
• .mp3
• .pdf

This payload can result in confidental information being sent to others.

Symptoms

• Randomly/oddly named files on network shares, as described above.
• Reference to a WINKxxx.EXE file ("xxx" looks random) in a Registry key:
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run

Method of Infection

This virus can be considered a blended threat. It mass-mails itself to email addresses found on the local system, exploits a Microsoft vulnerability, spreads via network shares, infects executables on the local system, and drops an additional file infecting virus, W32/Elkern.cav.c.

Removal

Use current engine and DAT files for detection.

Once infected, VirusScan may not be able to run as the virus can terminate the process before any scanning/removal is accomplished.

This can make the removal of the virus more difficult for users. As such, AVERT has released a removal tool to assist infected users with this virus.

Alternatively, the following steps will circumvent virus and allow for proper VirusScan scanning/removal, by using the command-line scanner.

1. Ensure that you are using the minimum DAT specified or higher.
2. Close all running applications
3. Disconnect the system from the network
4. Go to a command prompt, then change to the VirusScan engine directory:
   • Win9x/ME - Click START | RUN, type command and hit ENTER.
     Type cd \progra~1\common~1\networ~1\viruss~1\40~1.xx and hit ENTER
   WinNT/2K/XP - Click START | RUN, type cmd and hit ENTER.
   Type cd \progra~1\common~1\networ~1\viruss~1\4.0.xx and hit ENTER
5. Rename SCAN.EXE to CLEAN.EXE to prevent the virus from terminating the process and deleting files. Type, ren scan.exe clean.exe and hit ENTER
6. First, scan the system directory
   • Win9x/ME - Type clean.exe %windir%\system\win*.exe and hit ENTER
   WinNT/2K/XP - Type clean.exe %windir%\system32\win*.exe and hit ENTER
7. Once the scan has completed, Type clean.exe /adl /clean and hit ENTER
8. Rename scan.exe. Type, ren clean.exe scan.exe and hit ENTER
9. After scanning and removal is complete, reboot the system

Apply Internet Explorer patch if necessary.

Klez can delete anti-virus software files. It may be necessary to reinstall VirusScan after cleaning a system.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32/Klez.G@mm (Norman)

• W32/Klez.gen.b@MM

• W32/Klez.gen@MM

• W32/Klez.I (Panda)

• W32/Klez.K-mm

• WORM_KLEZ.G (Trend)

Characteristics

Characteristics -

W32/Klez.h@MM has a number of similarities to previous W32/Klez variants, for example:

• W32/Klez.h@MM makes use of Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability in Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2).
• the worm has the ability to spoof the From: field (often set to an address found on the victim's machine).
• the worm attempts to unload several processes (antivirus programs) from memory including those containing the following strings:
  • _AVP32
  • _AVPCC
  • NOD32
  • NPSSVC
  • NRESQ32
  • NSCHED32
  • NSCHEDNT
  • NSPLUGIN
  • NAV
  • NAVAPSVC
  • NAVAPW32
  • NAVLU32
  • NAVRUNR
  • NAVW32
  • _AVPM
  • ALERTSVC
  • AMON
  • AVP32
  • AVPCC
  • AVPM
  • N32SCANW
  • NAVWNT
  • ANTIVIR
  • AVPUPD
  • AVGCTRL
  • AVWIN95
  • SCAN32
  • VSHWIN32
  • F-STOPW
  • F-PROT95
  • ACKWIN32
  • VETTRAY
  • VET95
  • SWEEP95
  • PCCWIN98
  • IOMON98
  • AVPTC
  • AVE32
  • AVCONSOL
  • FP-WIN
  • DVP95
  • F-AGNT95
  • CLAW95
  • NVC95
  • SCAN
  • VIRUS
  • LOCKDOWN2000
  • Norton
  • Mcafee
  • Antivir

The worm is able to propagate over the network by copying itself to network shares (assuming sufficient permissions exist). Target filenames are chosen randomly, and can have single or double file extensions. For example:
  350.bak.scr
  bootlog.jpg
  user.xls.exe

The worm may also copy itself into RAR archives, for example:
  HREF.mpeg.rar
  HREF.txt.rar
  lmbtt.pas.rar

The worm mails itself to email addresses in the Windows Address Book, and to addresses extracted from files on the victim's machine. It arrives in an email message whose subject and body is composed from a pool of strings carried within the virus (the virus can also add other strings obtained from the local machine). For example:

Subject: A very funny website
or Subject: Undeliverable mail--
or Subject: Returned mail--
or Subject: A WinXP patch
or Subject: A IE 6.0 patch
or Subject: W32.Elkern removal tools
or Subject: W32.Klez.E removal tools

The file attachment name is again generated randomly, and ends with an .exe, .scr, .pif, or .bat extension, for example:
  ALIGN.pif
  User.bat
  line.bat

Thanks to the use of the exploit described above, simply opening or previewing the message in a vulnerable mail client can result in an infection of the victim's machine.

W32/Klez.h@MM masquerades as a free immunity tool in at least one of the messages used. Below is the message sent by the virus itself.

Subject: Worm Klez.E Immunity
Body: Klez.E is the most common world-wide spreading worm. It's very dangerous by corrupting your files. Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it.We developed this free immunity tool to defeat the malicious virus. You only need to run this tool once,and then Klez will never come into your PC. NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV monitor maybe cry when you run it. If so,Ignore the warning,and select 'continue'. If you have any question,please mail to me.

The worm may send a clean document in addition to an infected file. A document found on the hard disk, that contains one of the following extensions, is sent:

• .txt
• .htm
• .html
• .wab
• .asp
• .doc
• .rtf
• .xls
• .jpg
• .cpp
• .c
• .pas
• .mpg
• .mpeg
• .bak
• .mp3
• .pdf

This payload can result in confidental information being sent to others.

Symptoms

Symptoms -

• Randomly/oddly named files on network shares, as described above.
• Reference to a WINKxxx.EXE file ("xxx" looks random) in a Registry key:
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run

Method of Infection

Method of Infection -

This virus can be considered a blended threat. It mass-mails itself to email addresses found on the local system, exploits a Microsoft vulnerability, spreads via network shares, infects executables on the local system, and drops an additional file infecting virus, W32/Elkern.cav.c.

Removal -

Removal -

Use current engine and DAT files for detection.

Once infected, VirusScan may not be able to run as the virus can terminate the process before any scanning/removal is accomplished.

This can make the removal of the virus more difficult for users. As such, AVERT has released a removal tool to assist infected users with this virus.

Alternatively, the following steps will circumvent virus and allow for proper VirusScan scanning/removal, by using the command-line scanner.

1. Ensure that you are using the minimum DAT specified or higher.
2. Close all running applications
3. Disconnect the system from the network
4. Go to a command prompt, then change to the VirusScan engine directory:
   • Win9x/ME - Click START | RUN, type command and hit ENTER.
     Type cd \progra~1\common~1\networ~1\viruss~1\40~1.xx and hit ENTER
   WinNT/2K/XP - Click START | RUN, type cmd and hit ENTER.
   Type cd \progra~1\common~1\networ~1\viruss~1\4.0.xx and hit ENTER
5. Rename SCAN.EXE to CLEAN.EXE to prevent the virus from terminating the process and deleting files. Type, ren scan.exe clean.exe and hit ENTER
6. First, scan the system directory
   • Win9x/ME - Type clean.exe %windir%\system\win*.exe and hit ENTER
   WinNT/2K/XP - Type clean.exe %windir%\system32\win*.exe and hit ENTER
7. Once the scan has completed, Type clean.exe /adl /clean and hit ENTER
8. Rename scan.exe. Type, ren clean.exe scan.exe and hit ENTER
9. After scanning and removal is complete, reboot the system

Apply Internet Explorer patch if necessary.

Klez can delete anti-virus software files. It may be necessary to reinstall VirusScan after cleaning a system.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A