W32/Klez.B@mm

Analysis

• Virus is 32bit, with a size of 61,440 bytes and is a minor variant of
  W32/Klez.A-mm
  
• Virus will attempt to disable and terminate certain services which may be running on the host system - the virus will seek the following names in available threads and attempt to terminate their process if found -

  _AVP32
  _AVPCC
  _AVPM
  ALERTSVC
  AMON
  AVP32
  AVPCC
  AVPM
  N32SCANW
  NAVAPSVC
  NAVAPW32
  NAVLU32
  NAVRUNR
  NAVW32
  NAVWNT
  NOD32
  NPSSVC
  NRESQ32
  NSCHED32
  NSCHEDNT
  NSPLUGIN
  SCAN
  SMSS

• Virus contains and drops an infection of W32/Elkern onto the host as the file "Wqk.exe" (11,776 bytes) and modifies the registry to load this file at Windows startup -

  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run
  WQK=C:\WINDOWS\SYSTEM\Wqk.exe

• Virus will copy itself as "KRN132.EXE" (61,440 bytes) in the Windows\System (WinNT\System32) folder and then modifies the registry to load this file at Windows startup -

  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run
  Krn132=C:\WINDOWS\SYSTEM\krn132.exe

• Virus attempts to connect to at least one external SMTP server, which is hard-coded in the virus and is physically located in the Republic of China, in order to send itself in email form
  
• Email addresses are captured from various files on the system, including .DBX extension mail box files.
  
• Message is structured such that an I-Frame exploit will cause the attachment to launch automatically when the message is either opened or previewed in Outlook -
  
  • The email message will have an additional file attachment, typically a file with .HTM extension; which is a clean and non-infectious file.