W32.Klez.H Virus Analysis ------------------------- By klemster (klemster@weed5.org) http://www.weed5.org/ First Written On: 22nd August, 2002. 10:35 PM Last Modified On: 22nd August, 2002. 11:45 PM ==================================================================== Contents -------- Introduction Virus Analysis Disclaimer ==================================================================== INTRODUCTION The purpose of this text is to demonstrate the Klez.H virus. I couldn't do anything but watch it infect all my files after I had run it... Read the Disclaimer at the end of the text.. ==================================================================== Virus Analysis The Klez worm has been one of the fastest spreading over the internet and has infected a lot of computers(i know!). It is very efficient in it's methods, but is otherwise harmless if you're just another home PC user, rarely using your box. But, no worm is harmless, and is unnecessary headache. This analysis has been based on Klez running on Windows 98 first and then on Windows 2000 also. I said before that I had been receiving mails from some persons. That was true. It was not from another infected computer. The reason i can say this surely is because the subjects had a lot of stuff related to me. But, another e-mail address of mine (yahoo! mail) also had got mails from real infected computers. Some of subjects of the mails were: .::> Please try again .::> This would make him happier too .::> Japanese girl VS playboy .::> So cool a flash,enjoy it .::> Let's be friends .::> Happy Lady Day .::> Welcome to my hometown .::> A very humour game The e-mails contain the following attachments: file.html file.txt (most propably empty) (something) .exe / .pif / .com and maybe another text/html file. The virus first copies itself to the %systemroot%\system if you're on win 9x or %systemroot%\system32 if you're on nt/2000. It copies itself under the name winkxxx.exe or winxx.exe, where the x's indicate randomly generated letters. The file has the attributes of SHR (system file, hidden, Read-only). Then, it copies itself under the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run with the filename it created of itself in %systemroot%\system. If you attempt to delete or change it, it will again copy itself back. i.e. it rewrites the value almost every millisecond. If you attempt to stop start-up programs from loading up, it will create the key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run- and copy itself into it. This, for some strange reason cannot be stopped. Then, it will unload any antivirus programs or firewalls running from the memory and render them useless. This raises it's efficiency level to the maximum. It registers itself as a windows system process. It then reads the files - c:\frunlog.txt and c:\netlog.txt. Next, it copies itself to: Machine Debug Machine: mdm.exe file, found in the key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices Then, it reads your microsoft outlook address file, to gather e-mail addresses to spread itself. (It spreads itself with different subjects.) Anyway, I don't use outlook, so good for my friends! Next, it checks if you have ICQ installed and begins to access your ICQ files, to gather your UIN, password and other information. Below are some files that it accessed: C:\PROGRAM FILES\ICQ\UIN\11xxxxxx.UIN C:\PROGRAM FILES\ICQ\UIN\77xxxxxx.UIN C:\PROGRAM FILES\ICQ\UIN\11xxxxxx.DAT C:\PROGRAM FILES\ICQ\UIN\77xxxxxx.DAT C:\PROGRAM FILES\ICQ\UIN\11xxxxxx.IDX C:\PROGRAM FILES\ICQ\UIN\77xxxxxx.IDX C:\PROGRAM FILES\ICQ\2000b\11xxxxxx.IDX C:\PROGRAM FILES\ICQ\2000b\77xxxxxx.IDX C:\PROGRAM FILES\ICQ\2000b\11xxxxxx.IDX C:\PROGRAM FILES\ICQ\2000b\77xxxxxx.IDX C:\PROGRAM FILES\ICQ\PLUGINS\EXTCON~1\11xxxxxx.DAT C:\PROGRAM FILES\ICQ\PLUGINS\EXTCON~1\77xxxxxx.DAT C:\PROGRAM FILES\ICQ\CHATS\77xxxxxx.CHT Good for me that I stopped using ICQ around 6-7 months ago, and I didn't care. But, I realised that I had used the same password for an e-mail account also! So, this can be pretty useful. As much as I remember, I recollect that ICQ has all personal info in the uin.DAT files and even though it is encoded, it is cracked with minimal difficulty. I used to have a program that could decode the DAT files for me. It also, for some reason first appends the realplayer executable file and then the microsoft plus themes executable. It also copies itself under various names in the %temp% directory. It also copies itself to all the processes running. It creates some 10 KB file in C:\PROGRAM FILES under different names when the computer starts up, but I couldn't find out what it does. It infects all executables with the Win32.Elkern.c virus. I don't know much about this virus. It infects the important executables, including ones named "setup.exe" or other names with itself, i.e. W32.Klez.H. It also sees that the file sizes remain the same by appending chars. It also scans your temporary internet files and checks for usernames and passwords. Some of the files it checked were: C:\WIN98\TEMPOR~1\CONTENT.IE5\STQ7CLAZ\258256~1.HTM C:\WIN98\TEMPOR~1\CONTENT.IE5\STQ7CLAZ\LOGIN~1.HTM Both these files contained some login info. Infact, I don't remember which one, but one of them contained a temporary Yahoo! mail page that had been stored before. When you connect to the internet, it connected to an smtp port on the servers, 194.67.57.51, 202.104.32.230... When I checked it out, it turned out to be some russian website. Another aspect is that your firewalls and av's are disabled. So, you may check the connections as soon as you connect or 5-10 seconds after you connect. But, Klez is careful enough to wait for around a minute before it connects. My firewall was disabled, and I was not running anything else to log data transfer. I found out this when I later got internet. The virus most propably tried to mail itself to any people in the ms outlook addressbook. I also discovered that it was the Klez.H virus by attaching it in a yahoo mail and scanning it with norton and downloaded the cleaner. It's a pretty cool cleaner, but you are sure to lose some important executables. It is named Kleztool and scans the entire hard disk and removes all traces of it. I got it by searching in google, from an f-secure antivirus site. I'm sorry, but I forgot the URL. The filename is: kleztool.zip. Well... that's it... Till next time. ==================================================================== DISCLAIMER There is no gurantee on the accurateness of this text and this is subject to change anytime. This text is meant only for educational purposes. Following or reading this text is entirely at the choice and risk of the user. I will not be responsible for any damages caused because of reading this directly or indirectly, or abuse/misinterpretation of this paper. ==================================================================== klemster | klemster@weed5.org Copyright 2002 Weed5 Security Group http://www.weed5.org/