White Papers

W32/Klez-D (Sophos)

• Tags:
• worm,
• outlook,
• microsoft outlook,
• windows system

Overview Name: W32/Klez-D

Date: Fri, 9 Nov 2001 11:55:05(GMT)

Type: Win32 worm

At the time of writing Sophos has received just one report of this worm from the wild.
Description: W32/Klez-D is a minor variant of the W32/Klez-A worm. It carries a compressed copy of the W98/Elkern virus, which it drops and executes when the worm is run.

The worm sends itself to entries in the Windows address book and arrives in an email with a subject line selected from:

"Hi"
"Hello"
"How are you?"
"Can you help me?"
"We want peace"
"Where will you go?"
"Congratulations!!!"
"Don't cry"
"Look at the pretty"
"Some advice on your shortcoming"
"Free XXX Pictures"
"A free hot porn site"
"Why don't you reply to me?"
"How about have dinner with me together?"
"Never kiss a stranger"

The attachment has a random filename and the sender address is either a random uppercase name at yahoo.com, hotmail.com or sina.com, or one chosen from a list inside the virus.

The body text of the email is sent as HTML and says:

"I'm sorry to do so,but it's helpless to say sorry. I want a good job,I must support my parents. Now you have seen my technical capabilities How much my year-salary now? NO more than $5,500 What do you think of this fact? Don't call my names,I have no hostility Can you help me?"

The worm attempts to exploit a MIME vulnerability in some versions of Microsoft Outlook, Microsoft Outlook Express, and Internet Explorer to allow the executable file to run automatically without the user double-clicking on the attachment.

The worm copies itself to remote shares on other machines with random filenames. It also copies itself to the Windows System directory as winsvc.exe, and sets the registry key
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WinSvc
to point to it.

• 
• Did you find this white paper useful? 2 out of 7 users found this white paper useful

• Subscribe to the IT White Papers Newsletter
• White Paper RSS