![]() Important Note: The emails sent by Klez.E worm often haveįaked sender's address. It's own SMTP routines so it can send email without an email Recipients' email addresses are collected from the WindowsĪddress Book as well as from ICQ user databases. See the link to Microsoft security advisory above. Incorrect MIME Header (MS01-020) vulnerabilty to sendĪttachments that are automatically executed when the message Just like the other variants of Klez this one uses the 'The file is a special dangerous virus that can infect on Win98/Me/2000/XP.' 'The attachment is a very dangerous virus that spread trough email.' Really complex rules that makes possible of creating a large email messages sent by Klez.e are composed according to The worm overwrites foundįiles with random data thus destroying their content.ġ1. Month is not 1 or 7, the routine only affects files with the Looks for all files on all local and network drives. Then the main payload routine is activated. Number is equal to 7 (July) or 1 (January) and sets a specialįlag if it is. Month number is odd (1, 3, 5, etc.) and the date is equal to 6 Separate thread and constantly checks system date. Virus,Funlove,Sircam,Nimda,CodeRed and even include W32.Klez 1.X.Ĥ.Don't accuse me.Please accuse the unfair sh*t worldġ0. Win32 Klez V2.0 & Win32 Elkern V1.1,(There nick name is Twin Virus*^_^*)ġ.I will try my best to protect the user from some vicious The worm contains the following text strings that are never The worm can corrupt binary executables and data files.ĩ. Please see Elkern description for more info, theĨ. The worm drops a new version of Elkern virus ("version 1.1"Īccording to author's classification) that is also known as The worm affects anti-virus checksum files and ingegrityĬhecker databases with the following names:ħ. The worm removes autostarting Registry keys of security andĪnti-virus software thus disabling this software or parts ofĦ. TheĪlso the worm terminates processes with the following names:ĥ. If a specific text string isįound in a process, the worm terminates this process. The worm opens processes and looks for the Well as tasks of several other worms - Nimda, Sircam, FunloveĪnd CodeRed. The worm kills tasks of anti-virus and security software as The dropped RAR archive and worm's executable file name isĮither random or belongs to a file, that a worm found on a The second or the only extension of the worm's executable file The first extension of the RAR archive or of the worm's ![]() The RAR archiveĬontains the worm's executable file with one of the following The wormĮnumerates network resources and copies itself to remoteĭrives twice - once as an executable file with single orĭouble extension, and second time as a RAR archive that can The worm has network spreading capabilities. This type of infection is called 'companion infection'.ģ. ![]() The worm doesn't infect files with the following After the program terminates, the wormĭeletes it. The original program from a backup file with its original name When the infected file is run, the worm extracts Infecting an EXE file, the worm overwrites it and creates aīackup file with the same name as the infected file, but withĪ random extension with hidden, system and read-onlyĪttributes. The worm now has file infection capabilities. Worm creates an autostarting key for its file in SystemĢ. The worm installs itself to Windows System directory as The differences from the original version are as follows:ġ. To its author's classification and has several new featuresĬomparing to the older variants. Klez.E is a new variant of Klez worm that was first discovered
0 Comments
Leave a Reply. |