FOR CUSTOMERS

Close

Library
My library

+ Add to library

Search
Search

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

A query form

Call us

+7 (495) 789-45-86

Forum

Your tickets

New ticket

Call us

+7 (495) 789-45-86

Profile

EN

RU CN DE EN ES FR IT JP KZ UZ PL BY
Close
Support services
Scanners
Dr.Web vxCube
Trial
VCI investigations
Virus library
Knowledge base

Technologies

Terminology

Training and education

Myths

News

Win32.HLLM.Klez.4

(Win32/CIH, Worm:Win32/Klez.H@mm, Cryp_Yodap, Worm/Klez.E, Parser error, Win32.Klez.H@mm, Win32.HLLW.Klez.h, Generic.dx, W95/CIH.1024, Worm/Klez.H.1, Virus.Win9x.CIH.1106, I-Worm/Generic.CBM, PE_CIH.1106, WORM_KLEZ.H, W32/Elkern.C, Win95.CIH.1024, GenPack:Win32.Klez.H@mm, Email-Worm.Win32.Klez.h, I-Worm/Klez.H, W32/Klez.h@MM, Virus:Win95/CIH.1024, Win32.Worm.Klez.H, W95/Tecata.a, Win32/Kriz.4050, Trojan:Win32/Bumat!rts, W32/FunLove.gen, PE_CIH.1049, W95/CIH.1049)

Added to the Dr.Web virus database: 2002-04-22

Virus description added:

Description

At present there are nine versions of the worm. Only four of them have been met in the wild:

Win32.HLLM.Klez.61440 (Klez.B) : end of October, 2001 - November 2001
Win32.HLLM.Klez.1 (Klez.E) : end of January 2001 - present
Win32.HLLM.Klez.2 (Klez.G) : February 2001 - April 2002
Win32.HLLM.Klez.4 (Klez.H) : April, 17 2002 - present

This description presents Win32.HLLM.Klez.1-Win32.HLLM.Klez.5. Differences, if any, are described below.

Win32.HLLM.Klez.4 is a mass-mailing worm which infects computers under Windows Operating Systems.
Its copies are propagated via e-mail and through local network infecting computers with shared drives with write access.

Launching

To infect the target system the worm uses a well-known MS Internet Explorer vulnerability - the so called Incorrect MIME Header which allows a program file (containing a virus program) to automatically run even on message previewing in such mail clients as MS Outlook and MS Outlook Express (versions 5.01 and 5.5).

DialogueScience, Inc strongly advises to download and install all the patches and add-ons published by Microsoft!
With all the patches installed, your computer can get infected only if you double-click the attachment containing the worm program.

Spreading

Having infected the computer, the worm e-mails itself to all the addresses found in the Windows Address Book and in local files.

Due to its ability to spoof not only [To:] but also [From:] field with e-mail addresses found in the infected computer the e-mail recipient can easily be confused as to the actual sender of the infected message.

Subject field of the message as well as the message body itself have more or less meaningful wordings, for example:

Subject: A IE 6.0 patch
Mesage body: 

Hello,This is a IE 6.0 patch
I expect you would like it.
Subject: A special excite game
Mesage body:
This is a special excite game
This game is my first work.
You\'re the first player.
I hope you would like it.
Subject: W32.Elkern removal tools
Mesage body: 
W32.Elkern is a dangerous virus that can infect on Win98/Me/2000/XP.
Symantec give you the W32.Elkern removal tools
For more information,please visit http://www.Symantec.com

In doing this the worm uses ready-made message templates and different variants of textual strings to fill them in. Besides, it can use randomly chosen textual strings as well. The message body can also be empty.

Its mass mailing from the user’s computer may cause breach of confidentiality, as the worm includes in its every letter one of the user’s data files randomly chosen from the files in the infected computer thus causing confidential information leakage.

Action

When run Win32.HLLM.Klez.4 copies itself to Windows System directory as a randomly named .exe file starting with “wink”. Then, for this newly created copy of the virus a registry key with the same name is set in

HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run ,

so that the virus is executed every time you boot.

Under Windows\'NT/2000 the worm makes use of another boot routine and registers itself as a system service in the string

HKLM\\System\\CurrentControlSet\\Services\\

More to that, the worm creates its copies on local and network drives, infects RAR archives by overwriting them with its copies with random names and also infects applications registered in the system using companion-virus technique: it saves a copy of the application host file (previously having encoded it) and then overwrites it with its own code.

Besides, Win32.HLLM.Klez.4 acts as a dropper of a file virus - Win32.Klez.xxxx

Having hit a system the worm unpacks this viral program and runs it. After that the virus begins to self-spread.

Depending on the worm variant it drops one of the following Win32.Klez.xxxx file infecting virus: 


Win32.Klez.3326
Win32.Klez.4219
Win32.Klez.4926
Win32.Klez is a Windows- resident virus, and infects files with extensions .EXE and .SCR on local and network drives. The virus does not have any evident manifestations.
To summarize, in case of a system infection the worm executes the following undesirable for the user actions:
  • on the sixth of every odd month Win32.HLLM.Klez.1 overwrites data files of all the drives with random trash thus making such files unrecoverable if the user failed to back them up
  • in some of its versions this destructive payload triggers on the 13th of every odd month. Win32.HLLM.Klez.4 does not have a data deletion function
  • confidential information may become released
  • the worm tries to identify anti-virus programs among the active processes and terminate them.