Virus

W32/Klez.B@mm

Analysis

  • Virus is 32bit, with a size of 61,440 bytes and is a minor variant of
    W32/Klez.A-mm
  • Virus will attempt to disable and terminate certain services which may be running on the host system - the virus will seek the following names in available threads and attempt to terminate their process if found -

    _AVP32
    _AVPCC
    _AVPM
    ALERTSVC
    AMON
    AVP32
    AVPCC
    AVPM
    N32SCANW
    NAVAPSVC
    NAVAPW32
    NAVLU32
    NAVRUNR
    NAVW32
    NAVWNT
    NOD32
    NPSSVC
    NRESQ32
    NSCHED32
    NSCHEDNT
    NSPLUGIN
    SCAN
    SMSS

  • Virus contains and drops an infection of W32/Elkern onto the host as the file "Wqk.exe" (11,776 bytes) and modifies the registry to load this file at Windows startup -

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run
    WQK=C:\WINDOWS\SYSTEM\Wqk.exe

  • Virus will copy itself as "KRN132.EXE" (61,440 bytes) in the Windows\System (WinNT\System32) folder and then modifies the registry to load this file at Windows startup -

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run
    Krn132=C:\WINDOWS\SYSTEM\krn132.exe

  • Virus attempts to connect to at least one external SMTP server, which is hard-coded in the virus and is physically located in the Republic of China, in order to send itself in email form
  • Email addresses are captured from various files on the system, including .DBX extension mail box files.
  • Message is structured such that an I-Frame exploit will cause the attachment to launch automatically when the message is either opened or previewed in Outlook -
    • The email message will have an additional file attachment, typically a file with .HTM extension; which is a clean and non-infectious file.