Virus Klez
This destructive mass-mailing worm spreads via the Internet attached to infected e-mails.
Klez spreads in the local network and in e-mail messages, creates a Windows EXE file with a random name in a system folder. The virus infects Win32 PE EXE files on all available computer disks.
The worm uses an Internet Explorer security breach to start automatically when an infected message is viewed. To propagate copies of itself, it sends an email containing its executable program.
This worm creates registry entry that allows it to run at system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
Wink*, "wink*.exe"
It also terminates processes, and deletes files associated with certain antivirus programs. It does not terminate AnVir Virus Destroyer.
Klez drops a randomly named file in the C:\Program Files. This program is Elkern virus. It infects executable files and EXPLORER.EXE in memory.
On Windows 98/Me systems, the worm registers itself as a service process to hide itself from the taskbar. On Windows 2000 systems, the worm itself as a service control dispatcher.
© Copyright 2000-2008 AnVir Software. All Rights Reserved.
