On Wednesday, as it does on the sixth day of every odd-numbered month, the Klez.E e-mail worm will unload its destructive payload.
First discovered in January 2002, Klez.E has been spreading steadily and is currently rated the second most active virus in the world according to mail service provider
MessageLabs. MessageLabs rates viruses and worms according to how many instances of each it intercepts in a 24 hour period.
“We have seen a significant peak in confirmed infections over the last 30 days of Worm/Klez-E, over this period it has been our top
infector,” added Steven Sundermeier, product manager for Medina, Ohio-based anti-virus firm Central Command Inc. “This poses a
serious problem for all Internet and e-mail users since tomorrow it unleashes its vastly damaging payload.”
According to Finnish security firm F-Secure Corp., Klez.E is a complex virus which sends itself via e-mail using a wide variety of
different message headers, including messages that pose as virus warnings, virus removal tools, games or holiday greetings. It is
also capable of faking the e-mail sender.
Once opened, the worm installs itself to the Windows System directory as WINKxxxx.EXE file (the ‘xxxx’ can be two to three random
letters) and creates an autostarting key for its file in System Registry, restarting the worm each time the computer is rebooted.
The worm then has file infection capabilities. F-Secure said that when infecting an EXE file, the worm overwrites it and creates a
backup file with the same name as the infected file, but with a random extension with hidden, system and read-only attributes. When
the infected file is run, the worm extracts the original program from a backup file with its original name plus ‘MP8’ and runs it.
After the program terminates, the worm deletes it. However, the worm does not delete files with the names EXPLORER, CMMGR, MSIMN,
ICWCONN, or WINZIP.
The worm also has network spreading capabilities. It enumerates network resources and copies itself to remote drives twice, once as
an executable file with single or double extension and a second time as a RAR archive that can have a single or double extension.
The worm then goes about killing the tasks of anti-virus and security software, as well as the tasks of a number of other worms —
including Nimda, Sircam, Funlove and CodeRed. Klez.E then removes the autostarting Registry keys of security and anti-virus
software, disabling the software — or parts of it — completely the next time Windows is booted.
Klez.E then drops the Elkern virus, the destructive part of Klez.E’s payload, which can corrupt binary executables and data files.
F-Secure said Elkern has a complex payload routine: it works as a separate thread and constantly checks the system date. If the
month number is odd and the date is equal to 6, then the worm continues. It then checks if the month number is equal to 7 (July) or
1 (January) and sets a special flag if it is. Then it activates the main payload routine, looking for all files on all local and
network drives. If the month is 1 or 7, it affects all files. Otherwise it affects files with the extensions: txt, htm, html, wab,
doc, xls, jpg, cpp, c, pas, mpg, mpeg, bak, mp3. It overwrites the files with random data.
Security firms are offering detection and disinfection tools to deal with the worm.