Related Resources • Virus Encyclopedia • Glossary of terms

Elsewhere on the Web • F-Secure Description • February Top 20

The Klez.E worm, a.k.a. I-Worm.Klez.E and Stemdil, is a mass-mailing email worm that drops Elkern, a polymporphic EXE virus and disables or disrupts security software that may be running on the system. Klez.E uses a complicated payload routine, whereby it targets odd months of the year. On the 6th, in January and July, it overwrites all files on local and network drives. In any other odd month for the same day, the worm overwrites all txt, htm, html, wab, doc, xls, jpg, cpp, c, pas, mpg, mpeg, bak, and mp3 files with random data.

The worm arrives in an email message composed of random text and random subject lines. (Earlier versions of the Klez worm sometimes arrives with no message text). The attachment name also varies. The Klez.E email exploits the Incorrect MIME Header (MS01-020) vulnerabilty, which causes the attachment to automatically execute on systems running vulnerable browser software (unpatched versions of Internet Explorer 5.01 and 5.5). Users of other browser software can also be affected, though not without opening the attachments manually. In either case, when the attachment is executed, the worm installs itself to the Windows\System directory as WINK*.EXE (where * indicates 2 or more random letters). The worm then modifies the following registry keys, calling the WINK*.EXE file, in order to stay active:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run or
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Klez.E also infects other .EXE files on the system, creating a backup of the original contents and saving it with the original name and a new extension. When such an infected file is run, the worm extracts the original from backup, creating a new copy with a different name, and runs it. The worm also copies itself to shared network drives, using an array of randomly selected names and extensions.

The worm kills tasks of anti-virus and security software as well as tasks of several other worms - Nimda, Sircam, Funlove, CodeRed and previous Klez variants. According to F-Secure, the worm opens processes and looks for the specific text strings there. If a specific text string is found in a process, the worm terminates this process. The strings the worm looks for are: Sircam, Nimda, CodeRed, WQKMM3878, GRIEF3878, Fun Loving Criminal, Norton, Mcafee, Antivir, Avconsol, F-STOPW, F-Secure, Sophos, virus, AVP Monitor, AVP Updates, InoculateIT, PC-cillin, Symantec. Trend Micro, F-PROT, and NOD32. Also according to F-Secure, the the worm terminates processes with the following names:

_AVP32, _AVPCC, NOD32, NPSSVC, NRESQ32, NSCHED32, NSCHEDNT, NSPLUGIN, NAV, NAVAPSVC, NAVAPW32, NAVLU32, NAVRUNR, NAVW32, _AVPM, ALERTSVC, AMON, AVP32, AVPCC, AVPM, N32SCANW, NAVWNT, ANTIVIR, AVPUPD, AVGCTRL, AVWIN95, SCAN32, VSHWIN32, F-STOPW, F-PROT95, ACKWIN32, VETTRAY, VET95, SWEEP95, PCCWIN98, IOMON98, AVPTC, AVE32, AVCONSOL, FP-WIN, DVP95, F-AGNT95, CLAW95, NVC95, SCAN, VIRUS, LOCKDOWN2000, Norton, Mcafee, Antivir, and TASKMGR. It also removes the registry keys responsible for starting the various security and antivirus software, thus disabling some or portions of the software when Windows is next restarted. F-Secure notes that Klez.E also affects the following antivirus integrity checking databases: ANTI-VIR.DAT, CHKLIST.DAT, CHKLIST.MS, CHKLIST.CPS, CHKLIST.TAV, IVB.NTZ, SMARTCHK.MS, SMARTCHK.CPS, AVGQT.DAT, and AGUARD.DAT.

Klez.E has a complex payload routine as noted in the first part of this article. The worm operates independently of the mail client, using its own SMTP routines to spread.

Given the range of actions taken by Klez.E and the files affected, manual removal of the worm is not recommended. Updated antivirus software is recommended for detection and disinfection. Disinfection of Klez.E worm can also be performed with a special tool provided by F-Secure. The tool is available on their ftp site:

ftp://ftp.europe.f-secure.com/anti-virus/tools/kleztool.zip.

F-Secure recommends first reading the KLEZTOOL.TXT file included in the ZIP archive before using the tool. The above description applies only to the Klez.E variant. For a complete description of all the major Klez variant, please reference the F-Secure Klez description.