Klez Worm Goes After Myriad Files

Yet another e-mail-borne worm is making the rounds on the Internet using an infection and pattern that should be quite familiar to administrators and users.

The worm is capable of deleting anti-virus and a lengthy list of other files. On the sixth day of every month save January and July, the worm tries to overwrite all files with the following extensions: .txt, .htm, .html, .wab, .doc, .xls, .jpg, .cpp, .c, .pas, .mpg, .mpeg, .bak and .mp3.

Klez.E showed up on anti-virus companies radar screens Thursday and hasnt spread very widely, although, as a mass-mailing worm, it certainly has that potential.

The e-mail message carrying the worm arrives in the users inbox with a random subject line and bears an attachment that also has a randomized name. The attachment can be a file with either a .bat, .exe, .pif or .scr extension, according to an advisory published by Symantec Corp, which rates the worms severity as low.

The attachment carrying the worm can execute either when the user opens it or views the message in Microsoft Outlooks preview pane.

Once it is unleashed, Klez copies itself to the Windows System folder and either modifies a certain registry key or creates one of its own. It then creates a value in that key so that the worm will execute once the machine starts up again.

The worm then attempts to disable some virus scanners and, oddly enough, delete other worms such as Code Red and Nimda that may have infected the machine. Klez then drops a virus known as W32.Elkern.3587 on the infected machine and executes it.

It also copies itself to local, mapped and network drives using a random file name and double extension, such as filename.txt.exe.

Klez then mails itself to any e-mail address it finds in the users Windows address book, ICQ database or local files. It can also infect executable files by making a hidden copy of the original host file and then overwriting the original file with the virus.