W32/Klez.B@mm
Analysis
- Virus is 32bit, with a size of 61,440 bytes and
is a minor variant of
W32/Klez.A-mm
- Virus will attempt to disable and terminate certain
services which may be running on the host system -
the virus will seek the following names in available
threads and attempt to terminate their process if
found -
_AVP32
_AVPCC
_AVPM
ALERTSVC
AMON
AVP32
AVPCC
AVPM
N32SCANW
NAVAPSVC
NAVAPW32
NAVLU32
NAVRUNR
NAVW32
NAVWNT
NOD32
NPSSVC
NRESQ32
NSCHED32
NSCHEDNT
NSPLUGIN
SCAN
SMSS -
Virus contains and drops an infection of W32/Elkern onto the host as the file "Wqk.exe" (11,776 bytes) and modifies the registry to load this file at Windows startup -
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
WQK=C:\WINDOWS\SYSTEM\Wqk.exe -
Virus will copy itself as "KRN132.EXE" (61,440 bytes) in the Windows\System (WinNT\System32) folder and then modifies the registry to load this file at Windows startup -
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
Krn132=C:\WINDOWS\SYSTEM\krn132.exe - Virus attempts to connect to at least one external
SMTP server, which is hard-coded in the virus and
is physically located in the Republic of China, in
order to send itself in email form
- Email addresses are captured from various files
on the system, including .DBX extension mail box files.
- Message is structured such that an I-Frame exploit
will cause the attachment to launch automatically
when the message is either opened or previewed in
Outlook -
- The email message will have an additional file attachment, typically a file with .HTM extension; which is a clean and non-infectious file.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
Extreme | |
FortiAPS | |
FortiAPU | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |