Breeze
November 23rd, 2002, 09:56 AM
I have been getting this thing sent to me about 4 times a day. Thank goodness for ZoneAlarm Pro. Not that I would open an attachment but someone in this house might.
It is really interesting reading to see what this worm can do.
MALWARE ADVISORY:
Klez.F Worm
(aka W32/Klez.F-mm, W32/Stemdil-mm, I-Worm.Klez.E, Klez.E, W32.Klez.E@mm, W32/Klez.gen@MM)
MAC Primary Rating:
4
Summary:
Klez.F is a mass-mailer worm based upon the original Klez.A worm of late 2001. Klez.F uses its own simple mail transfer protocol (SMTP) routine to send e-mail, even in the absence of an e-mail client on the local machine. This malware proliferates through MS Outlook, Outlook Express, and IRC, but (like most mass-mailers) requires user activation of an email attachment in order to execute. The worm also drops a malware payload similar to W32.ElKern.3326 which attempts to disable some common antivirus products as well as overwriting and destroying other files. Elkern is a cavity virus, which is able to infect files without changing their file size, which makes the payload more difficult to detect than other viruses. If an infected attachment is executed, a copy of Klez is created in MS Windows system directory as WINKXXX .EXE (where XXX is two to three randomly-generated letters). Attachments may have random names, but reportedly end in .pif, .scr, .exe or .bat as part of a double extension. The Windows registry is also modified to run Klez upon startup of the Operating System.
Most interestingly, Klez.F removes some other dangerous malware, such as Sircam, Nimda, and Code Red, while infecting the system itself. It also avoids infecting certain specific files (including Explorer and WinZip) which it requires to continue effective execution. Because of its proliferation capability and payload, the MAC Primary Rating of Klez.F is 4.
Description:
Klez
E-mail messages sent by Klez have the following characteristics:
Subject:
Subjects names vary randomly, with the following subjects discovered to date:
How are you
Let's be friends
Darling
Don't drink too much
Your password
Welcome to my hometown
Honey
Some questions
Please try again
the Garden of Eden
Sos!
introduction on ADSL
Meeting notice
Questionnaire
Spice girls' vocal concert
japanese girl VS playboy
Congratulations
Look,my beautiful girl friend
Eager to see you
Japanese lass' sexy pictures
Message:
Body text either is empty or contains a randomized message.
Attachment:
Attachment names vary randomly, but contain the ending extensions ".pif, .scr, .exe or .bat." Klez e-mail MIME types include both audio/x-wav and audio/x-midi types. These MIME types are used to exploit a known vulnerability in Outlook, known as the Microsoft Vulnerability MS01-020 . The Klez e-mail attachments execute immediately when infected messages are opened using unpatched applications. Some of the discovered file names include:
for.scr (78,817 bytes)
width.pif (82,891 bytes)
Client.pif (88,163 bytes)
TOOBUSY.scr (82,891 bytes)
class.exe (85,071 bytes)
value.bat (88,056 bytes)
The executable file contains the strings e:\windows\SyStem32\dLlcache\ddd.exe and dummy.exe. If an infected attachment is executed, a copy of Klez is created in a Microsoft Windows operating system's system directory as WINKXXX.EXE, where XXX is two to three randomly-generated letters. The Windows registry is also modified to run Klez upon startup. The registry key values added to the "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" are:
Winkrandom characters
System\Winkrandom characters.exe
WQK System\Wqk.exe
This new variant of Klez.F also infects files with an extension of ".exe". Infected applications contain encrypted headers because Klez.F prepends itself to these files. Klez.F also deletes the temporary file once the application terminates. Klez.F contains a new variant of the Elkern virus (ID# 107050, Jan. 18, 2001), which makes detection difficult because of its "cavity" capability. A cavity virus is able to infect files without changing their file size. Klez.F also spreads over networks. It enumerates network resources and copies itself to remote drives two times. One copy is an executable with a single or double extension. The second copy is an executable with one of the following names:
setup
picacu
install
kitty
demo
play
snoopy
rock
The following files are purposefully not infected by this new variant of Klez (to ensure efficient infection, presumably):
• EXPLORER
• CMMGR
• MSIMN
• ICWCONN
• WINZIP
This new variant also attempts to remove several other worms, anti-virus applications and other security software and related files. It also terminates processes associated with popular anti-viral products::
Malware Eliminated:
• Sircam
• Nimda
• CodeRed
Processes Killed:
• _AVP32 • _AVPM
• _AVPCC • ALERTSVC
• NOD32 • AMON
• NPSSVC • AVP32
• NRESQ32 • AVPCC
• NSCHED32 • AVPM
• NSCHEDNT • N32SCANW
• NSPLUGIN • NAVWNT
• NAV • ANTIVIR
• NAVAPSVC • AVPUPD
• NAVAPW32 • AVGCTRL
• NAVLU32 • AVWIN95
• NAVRUNR • SCAN32
• NAVW32 • VSHWIN32
• F-STOPW • FP-WIN
• F-PROT95 • DVP95
• ACKWIN32 • F-AGNT95
• VETTRAY • CLAW95
• VET95 • NVC95
• SWEEP95 • SCAN VIRUS
• PCCWIN98 • LOCKDOWN2000
• IOMON98 • Norton
• AVPTC • McAfee
• AVE32 • Antivir
• AVCONSOL • TASKMGR
Klez.F includes a special payload, sending out greeting messages around holidays with subjects such as Happy Christmas and Happy New Year, and also removes autostart keys for security software from the registry. It attacks anti-virus checksum files and integrity checker databases with the following names:
• ANTI-VIR.DAT
• CHKLIST.DAT
• CHKLIST.MS
• CHKLIST.CPS
• CHKLIST.TAV
• IVB.NTZ
• SMARTCHK.MS
• SMARTCHK.CPS
• AVGQT.DAT
• AGUARD.DAT
How to Tell If You're Infected:
The presence of a file called KRN132.exe in the Windows System folder is a clear indication of infection.
How to Prevent/Resolve Infection:
1. Ensure your Anti-virus software is updated to the most recent signatures (if using a signature file AV product like Norton/McAfee) .
2. Filter double extension email attachments at your network perimeter.
3. Examine defense-in-depth by using a behavior-based AV product (like MailDefense or Achilles Shield ) at your user perimeter.
4. If infected already:
a. Quarrantine the infected machines and remove the above described infection files.
b. Scan the system with an updated AV scanner (if using a signature file product).
*Note: Depending upon the depth of infection and damage, in some cases you may have to rebuild the machine.*
Assessment:
Klez.A was a proof-of-concept worm that demonstrated the effectiveness of the carrier more than the payload. It's "pluggable payload" capability, however, forboded future concern. Klez.F lives up to those concerns (in terms of payload) but uses several tried and true techniques for infecting new systems (email and IRC) which should make it easier to detect and defeat. Moreover, the fact that it arrives with double extensions (ie: .txt.scr) allows it to be easily recognized and filtered at the network perimeter, by internal mail systems, or even visually.
While Klez.F is highly dangerous if executed, the process by which it achieves successful infection should no longer be an issue. The use of the Outlook address book, the mail-mailing capability, and the fact that users are still executing random email attachments (with obvious double extensions and consistent naming conventions), should no longer be viable options for infection. Behaviors on acceptable network usage must change, policies must be enforced, and defense-in-depth security strategies must be enabled. This new Klez variant is very noisy and should easily be mitigated prior to becoming a security risk to your network if the above steps are already taken.
Vendor
Current DAT or Signature File Update
Date Released
Symantec
40116d
16 Jan 02
McAfee
4181
16 Jan 02
Sophos
3.53
Jan 02
Trend Micro
5.630
Dec 01
InDefense
n/a (No update required for behavior-based product)
n/a
It is really interesting reading to see what this worm can do.
MALWARE ADVISORY:
Klez.F Worm
(aka W32/Klez.F-mm, W32/Stemdil-mm, I-Worm.Klez.E, Klez.E, W32.Klez.E@mm, W32/Klez.gen@MM)
MAC Primary Rating:
4
Summary:
Klez.F is a mass-mailer worm based upon the original Klez.A worm of late 2001. Klez.F uses its own simple mail transfer protocol (SMTP) routine to send e-mail, even in the absence of an e-mail client on the local machine. This malware proliferates through MS Outlook, Outlook Express, and IRC, but (like most mass-mailers) requires user activation of an email attachment in order to execute. The worm also drops a malware payload similar to W32.ElKern.3326 which attempts to disable some common antivirus products as well as overwriting and destroying other files. Elkern is a cavity virus, which is able to infect files without changing their file size, which makes the payload more difficult to detect than other viruses. If an infected attachment is executed, a copy of Klez is created in MS Windows system directory as WINKXXX .EXE (where XXX is two to three randomly-generated letters). Attachments may have random names, but reportedly end in .pif, .scr, .exe or .bat as part of a double extension. The Windows registry is also modified to run Klez upon startup of the Operating System.
Most interestingly, Klez.F removes some other dangerous malware, such as Sircam, Nimda, and Code Red, while infecting the system itself. It also avoids infecting certain specific files (including Explorer and WinZip) which it requires to continue effective execution. Because of its proliferation capability and payload, the MAC Primary Rating of Klez.F is 4.
Description:
Klez
E-mail messages sent by Klez have the following characteristics:
Subject:
Subjects names vary randomly, with the following subjects discovered to date:
How are you
Let's be friends
Darling
Don't drink too much
Your password
Welcome to my hometown
Honey
Some questions
Please try again
the Garden of Eden
Sos!
introduction on ADSL
Meeting notice
Questionnaire
Spice girls' vocal concert
japanese girl VS playboy
Congratulations
Look,my beautiful girl friend
Eager to see you
Japanese lass' sexy pictures
Message:
Body text either is empty or contains a randomized message.
Attachment:
Attachment names vary randomly, but contain the ending extensions ".pif, .scr, .exe or .bat." Klez e-mail MIME types include both audio/x-wav and audio/x-midi types. These MIME types are used to exploit a known vulnerability in Outlook, known as the Microsoft Vulnerability MS01-020 . The Klez e-mail attachments execute immediately when infected messages are opened using unpatched applications. Some of the discovered file names include:
for.scr (78,817 bytes)
width.pif (82,891 bytes)
Client.pif (88,163 bytes)
TOOBUSY.scr (82,891 bytes)
class.exe (85,071 bytes)
value.bat (88,056 bytes)
The executable file contains the strings e:\windows\SyStem32\dLlcache\ddd.exe and dummy.exe. If an infected attachment is executed, a copy of Klez is created in a Microsoft Windows operating system's system directory as WINKXXX.EXE, where XXX is two to three randomly-generated letters. The Windows registry is also modified to run Klez upon startup. The registry key values added to the "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" are:
Winkrandom characters
System\Winkrandom characters.exe
WQK System\Wqk.exe
This new variant of Klez.F also infects files with an extension of ".exe". Infected applications contain encrypted headers because Klez.F prepends itself to these files. Klez.F also deletes the temporary file once the application terminates. Klez.F contains a new variant of the Elkern virus (ID# 107050, Jan. 18, 2001), which makes detection difficult because of its "cavity" capability. A cavity virus is able to infect files without changing their file size. Klez.F also spreads over networks. It enumerates network resources and copies itself to remote drives two times. One copy is an executable with a single or double extension. The second copy is an executable with one of the following names:
setup
picacu
install
kitty
demo
play
snoopy
rock
The following files are purposefully not infected by this new variant of Klez (to ensure efficient infection, presumably):
• EXPLORER
• CMMGR
• MSIMN
• ICWCONN
• WINZIP
This new variant also attempts to remove several other worms, anti-virus applications and other security software and related files. It also terminates processes associated with popular anti-viral products::
Malware Eliminated:
• Sircam
• Nimda
• CodeRed
Processes Killed:
• _AVP32 • _AVPM
• _AVPCC • ALERTSVC
• NOD32 • AMON
• NPSSVC • AVP32
• NRESQ32 • AVPCC
• NSCHED32 • AVPM
• NSCHEDNT • N32SCANW
• NSPLUGIN • NAVWNT
• NAV • ANTIVIR
• NAVAPSVC • AVPUPD
• NAVAPW32 • AVGCTRL
• NAVLU32 • AVWIN95
• NAVRUNR • SCAN32
• NAVW32 • VSHWIN32
• F-STOPW • FP-WIN
• F-PROT95 • DVP95
• ACKWIN32 • F-AGNT95
• VETTRAY • CLAW95
• VET95 • NVC95
• SWEEP95 • SCAN VIRUS
• PCCWIN98 • LOCKDOWN2000
• IOMON98 • Norton
• AVPTC • McAfee
• AVE32 • Antivir
• AVCONSOL • TASKMGR
Klez.F includes a special payload, sending out greeting messages around holidays with subjects such as Happy Christmas and Happy New Year, and also removes autostart keys for security software from the registry. It attacks anti-virus checksum files and integrity checker databases with the following names:
• ANTI-VIR.DAT
• CHKLIST.DAT
• CHKLIST.MS
• CHKLIST.CPS
• CHKLIST.TAV
• IVB.NTZ
• SMARTCHK.MS
• SMARTCHK.CPS
• AVGQT.DAT
• AGUARD.DAT
How to Tell If You're Infected:
The presence of a file called KRN132.exe in the Windows System folder is a clear indication of infection.
How to Prevent/Resolve Infection:
1. Ensure your Anti-virus software is updated to the most recent signatures (if using a signature file AV product like Norton/McAfee) .
2. Filter double extension email attachments at your network perimeter.
3. Examine defense-in-depth by using a behavior-based AV product (like MailDefense or Achilles Shield ) at your user perimeter.
4. If infected already:
a. Quarrantine the infected machines and remove the above described infection files.
b. Scan the system with an updated AV scanner (if using a signature file product).
*Note: Depending upon the depth of infection and damage, in some cases you may have to rebuild the machine.*
Assessment:
Klez.A was a proof-of-concept worm that demonstrated the effectiveness of the carrier more than the payload. It's "pluggable payload" capability, however, forboded future concern. Klez.F lives up to those concerns (in terms of payload) but uses several tried and true techniques for infecting new systems (email and IRC) which should make it easier to detect and defeat. Moreover, the fact that it arrives with double extensions (ie: .txt.scr) allows it to be easily recognized and filtered at the network perimeter, by internal mail systems, or even visually.
While Klez.F is highly dangerous if executed, the process by which it achieves successful infection should no longer be an issue. The use of the Outlook address book, the mail-mailing capability, and the fact that users are still executing random email attachments (with obvious double extensions and consistent naming conventions), should no longer be viable options for infection. Behaviors on acceptable network usage must change, policies must be enforced, and defense-in-depth security strategies must be enabled. This new Klez variant is very noisy and should easily be mitigated prior to becoming a security risk to your network if the above steps are already taken.
Vendor
Current DAT or Signature File Update
Date Released
Symantec
40116d
16 Jan 02
McAfee
4181
16 Jan 02
Sophos
3.53
Jan 02
Trend Micro
5.630
Dec 01
InDefense
n/a (No update required for behavior-based product)
n/a