Manually removing an infection from your computer can put your data at risk for damage that may or may not be recoverable. Central Command strongly recommends that you backup all of your data prior to attempting to remove an infection or repair any damage causes by an infection.
Type: Internet and Network Worm, written in Visual C language
Size: 57345 bytes
Win32.Klez.A@mm is an Internet worm capable of spreading through the local network. The infected e-mails include the virus as attachment with a random name (but with an .exe extension), and the subject of the e-mail is one of the following:
How are you?
Can you help me?
We want peace
Where will you go?
Look at the pretty
Some advice on your shortcoming
Free XXX Pictures
A free hot porn site
Why don’t you reply to me?
How about have dinner with me together?
Never kiss a stranger
The message body is as follows:
I’m sorry to do so,but it’s helpless to say sorry.
I want a good job,I must support my parents.
Now you have seen my technical capabilities.
How much my year-salary now? NO more than $5,500.
What do you think of this fact?
Don’t call my names,I have no hostility.
Can you help me?
It uses an exploit (a security hole) that allows the attachment to be executed when viewing the message with Microsoft Outlook Express or Outlook (without Service Packs installed). This method is similar to the one used by Nimda or Kak worms.
The e-mail message does not look as if coming from an infected person, but from different addresses among which are the following:
Once executed, the virus decrypts all series containing text (to avoid them to be seen by somebody who is trying to study what the virus includes) and it tries to hide itself from the application list.
The virus creates an execution thread, which monitors all running applications, and if there are any applications belonging to an anti-virus program, it closes them.
The next thing the virus does is creating a file named wqk.exe in the system directory, which includes the Win32.Elkern.A virus, which it kept compressed in its body. This virus is a file infector that runs on Windows 98 or Windows Me.
After creating the wqk.exe file, the worm executes it and copies itself in the whole Windows system directory under the name krn132.exe and creates a key in the registry:
using as value the path to this file, allowing it to be reactivated every time Windows is started.
The virus launches other execution threads: one for infection through the Internet, one for network infection and other 26 to scan through each drive searching for files with one of the following extensions: txt, htm, doc, jpg, bmp, xls, cpp, html, mpg, mpeg.
The thread dedicated to Internet infection searches for all contacts in Outlook Address Book and generates a maximum of 10 e-mail addresses with a random name but ending in @yahoo.com, @hotmail.com or @sina.com.
In order to send messages to these addresses it also generates a SMTP server list using the domain name from the e-mail addresses and adding the .smtp prefix. For example, if the e-mail address list includes an address like firstname.lastname@example.org
The virus will include in the SMTP server list: stmp.domain.com.
The thread for network infection reactivates every 8 hours and scans the network, leaving in certain shared directories copies of the virus, but bearing an apparently random name and a double extension. This name is actually the name of the last file that the execution threads scanning the local disks went over, adding to it the extension .exe.
If the system’s set date is a uneven month (January, March, etc) and the day is 13th, the virus starts its payload routine scanning local disks (or drives mapped from the network) and fills the files it finds with random data, permanently destroying them.