W32.Klez.H Virus Analysis
-------------------------

By klemster (klemster@weed5.org)
Visit Weed5 Computer Security Group http://www.weed5.org/ for more

First Written On: 22nd August, 2002. 10:35 PM
Last Modified On: 22nd August, 2002. 11:45 PM

====================================================================
Contents
--------

Introduction

Virus Analysis

Disclaimer

====================================================================
INTRODUCTION

    The purpose of this text is to demonstrate the Klez.H virus. I
couldn't do anything but watch it infect all my files after I had
run it...
    Read the Disclaimer at the end of the text..

====================================================================
Virus Analysis

    The Klez worm has been one of the fastest spreading over the
internet and has infected a lot of computers(i know!). It is very
efficient in it's methods, but is otherwise harmless if you're just
another home PC user, rarely using your box. But, no worm is
harmless, and is unnecessary headache.

This analysis has been based on Klez running on Windows 98 first
and then on Windows 2000 also.

I said before that I had been receiving mails from some persons.
That was true. It was not from another infected computer. The
reason i can say this surely is because the subjects had a lot
of stuff related to me.

But, another e-mail address of mine (yahoo! mail) also had got mails
from real infected computers. Some of subjects of the mails were:
 .::> Please try again
 .::> This would make him happier too
 .::> Japanese girl VS playboy
 .::> So cool a flash,enjoy it
 .::> Let's be friends
 .::> Happy Lady Day
 .::> Welcome to my hometown
 .::> A very humour game

The e-mails contain the following attachments:
file.html
file.txt (most propably empty)
(something) .exe / .pif / .com
and maybe another text/html file.

The virus first copies itself to the %systemroot%\system if you're
on win 9x or %systemroot%\system32 if you're on nt/2000.
It copies itself under the name winkxxx.exe or winxx.exe, where
the x's indicate randomly generated letters. The file has the
attributes of SHR (system file, hidden, Read-only).

Then, it copies itself under the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
with the filename it created of itself in %systemroot%\system.
If you attempt to delete or change it, it will again copy itself
back. i.e. it rewrites the value almost every millisecond.
If you attempt to stop start-up programs from loading up, it will
create the key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run-
and copy itself into it. This, for some strange reason cannot be
stopped.

Then, it will unload any antivirus programs or firewalls running
from the memory and render them useless. This raises it's efficiency
level to the maximum. It registers itself as a windows system
process.

Next, it copies itself to: Machine Debug Machine: mdm.exe file,
found in the key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

Then, it reads your microsoft outlook address file, to gather e-mail
addresses to spread itself. 
(It spreads itself with different subjects.)
Anyway, I don't use outlook, so good for my friends!

It also, for some reason first appends the realplayer executable file
and then the microsoft plus themes executable.
It also copies itself under various names in the %temp% directory.
It also copies itself to all the processes running.
It creates some 10 KB file in C:\PROGRAM FILES under different names
when the computer starts up, but I couldn't find out what it does.

It infects all executables with the Win32.Elkern.c virus.
I don't know much about this virus.
It infects the important executables, including ones named "setup.exe"
or other names with itself, i.e. W32.Klez.H. 
It also sees that the file sizes remain the same by appending chars.

It also scans your temporary internet files and checks for usernames
and passwords. Some of the files it checked were:
C:\WIN98\TEMPOR~1\CONTENT.IE5\STQ7CLAZ\258256~1.HTM
C:\WIN98\TEMPOR~1\CONTENT.IE5\STQ7CLAZ\LOGIN~1.HTM
Both these files contained some login info. Infact, I don't remember
which one, but one of them contained a temporary Yahoo! mail page
that had been stored before.

When you connect to the internet, it connects to smtp servers.
This is in order to spread itself. Another aspect is that your
firewalls and av's are disabled. So, you may check the
connections as soon as you connect or 5-10 seconds after you
connect. But, Klez is careful enough to wait for around a minute
before it connects. My firewall was disabled, and I was not running
anything else to log data transfer. I found out this when I later
got internet. The virus most propably tried to mail itself to any
people in the ms outlook addressbook.

I also discovered that it was the Klez.H virus by attaching it in
a yahoo mail and scanning it with norton and downloaded the cleaner.

It's a pretty cool cleaner, but you are sure to lose some important
executables. It is named Kleztool and scans the entire hard disk and
removes all traces of it. I got it by searching in google, from an
f-secure antivirus site. I'm sorry, but I forgot the URL. The 
filename is: kleztool.zip.

====================================================================
DISCLAIMER

    There is no guarantee on the accurateness of this text and
this is subject to change anytime. This text is meant only for
educational purposes. Following or reading this text is entirely at
the choice and risk of the user. I will not be responsible for any
damages caused because of reading this directly or indirectly, or
abuse/misinterpretation of this paper.

====================================================================

klemster | klemster@weed5.org