Manually removing an infection from your computer can put your data at risk for damage that may or may not be recoverable. Central Command strongly recommends that you backup all of your data prior to attempting to remove an infection or repair any damage causes by an infection.
Details:
———-
Name: Win32.Elkern.A
Aliases: N/A
Type: File Infector, written in Assembly language
Size: N/A
Risk: Low
ITW: No
Description:
—————-
Win32.Elkern.A is a file infector that spreads with the help of Win32.Klez.A@mm, being included in this worm. It runs on Windows 98 and ME platforms.
When executed, the virus copies the host in the Windows system directory under the name wqk (extension .exe or .dll) and writes the following key in the registry:
Software\Microsoft\Windows\CurrentVersion\Run\Wqk
using as value the path to the copied file, allowing it to be reactivated every time Windows is started.
The virus remains active, hiding from the application list, and searches for files to infect.
File infection is accomplished by searching for cavities in the host file to avoid increasing the file size, and if this cannot be done then the last section of the executable will be extended to include the virus body.
At the same time, the virus is capable of infecting the local network.
The spreading potential of the virus is increased because Win32.Klez.A@mm also aids in spreading, Klez is a mass-mailer and network infector.
In order to make detection more difficult, the virus uses some of its body layers in encrypted form, and the names of the system functions it uses are not included in it, integrating only a checksum associated to each name. In order to use these functions it calculates a checksum for each name of the system function, and when the virus finds this checksum in its list, it takes out the function’s address to use it.