Klez is one of the most destructive worms in history, having caused about $19.8 billion in damage. It is also notable for its ability to spoof email addresses in the sender line, as well as the ability to infect the receiver's computer from previewing or opening the message without downloading or executing the attachment. Klez spawned a significant number of variants, a few of which were more prevalent than the original.
| Attributes | Values |
|---|
| rdf:type
| |
| rdfs:label
| |
| rdfs:comment
| - Klez is one of the most destructive worms in history, having caused about $19.8 billion in damage. It is also notable for its ability to spoof email addresses in the sender line, as well as the ability to infect the receiver's computer from previewing or opening the message without downloading or executing the attachment. Klez spawned a significant number of variants, a few of which were more prevalent than the original.
- Klez is a member of the Techadroids.
- Klez can arrive on a system through email or network shares. The worm uses fake email addresses for the "From" line (spoofing abil57,345 bytesity did not come until later variants), which may be one of the following: A Klez email may have one of twelve possible subject lines: The body contains the message: I am sorry to do so,but it's helpless to say sorry I want a good job,I must support my parents. Now you have seen my technical capabilities. How much my year-salary now? NO more than $5,500. What do you think of this fact? Don't call my names,I have no hostility. Can you help me?
|
| sameAs
| |
| dcterms:subject
| |
| dbkwik:malware/pro...iPageUsesTemplate
| |
| dbkwik:power-range...iPageUsesTemplate
| |
| dbkwik:powerranger...iPageUsesTemplate
| |
| dbkwik:powerranger...iPageUsesTemplate
| |
| dbkwik:scratch-pad...iPageUsesTemplate
| |
| dbkwik:scratchpad/...iPageUsesTemplate
| |
| Date
| |
| Origin
| |
| Platform
| |
| Name
| |
| Type
| |
| pl
| |
| filetype
| |
| AKA
| |
| Cost
| |
| Creator
| |
| abstract
| - Klez is one of the most destructive worms in history, having caused about $19.8 billion in damage. It is also notable for its ability to spoof email addresses in the sender line, as well as the ability to infect the receiver's computer from previewing or opening the message without downloading or executing the attachment. Klez spawned a significant number of variants, a few of which were more prevalent than the original.
- Klez can arrive on a system through email or network shares. The worm uses fake email addresses for the "From" line (spoofing abil57,345 bytesity did not come until later variants), which may be one of the following:
* king@21cn.com
* flag@21cn.com
* super@21cn.com
* zhangcheng77@online.sh.cn
* broused@online.sh.cn
* lbhuangsy@21cn.com
* kqlbaby@21cn.com
* jiemin@citiz.net
* feiyiming@citiz.net
* lllwww@online.sh.cn
* tomyjiang18@21cn.com
* luxianchu@21cn.com
* kqlbaby@21cn.com
* lin_yuezhi@citiz.net
* zhangcheng77@online.sh.cn
* zbzwy@21cn.com
* sarge2010@21cn.com A Klez email may have one of twelve possible subject lines:
* How are you?
* Can you help me?
* We want peace
* Where will you go?
* Congratulations!!!
* Don't cry
* Look at the pretty
* Some advice on your shortcoming
* Free XXX Pictures
* A free hot porn site
* Why don't you reply to me?
* How about have dinner with me together?
* Never kiss a stranger The body contains the message: I am sorry to do so,but it's helpless to say sorry I want a good job,I must support my parents. Now you have seen my technical capabilities. How much my year-salary now? NO more than $5,500. What do you think of this fact? Don't call my names,I have no hostility. Can you help me? Many email clients will be unable to view the message, and it is thought that it is intended for antivirus companies. The attachment is a random string of characters with a .exe extention that is 57,345 bytes long. A Klez email contains an incorrect MIME header, which means it may be able to run itself if the user is running an unpatched version of Outlook or Outlook Express. When Klez is executed, it must decrypt the information about email senders, subject lines and the email body. It copies itself to the system folder as Krnl132.exe. It adds the value krnl32 = System folder\krnl32.exe to the local machine registry key that ensures the worm will run upon starting the machine. Klez may deactivate on-access virus scanners. It will search active processes and give the "TerminateProcesses" command to processes with the following names:
* _AVP32
* _AVPCC
* _AVPM
* ALERTSVC
* AMON
* AVP32
* AVPCC
* AVPM
* N32SCANW
* NAVAPSVC
* NAVAPW32
* NAVLU32
* NAVRUNR
* NAVW32
* NAVWNT
* NOD32
* NPSSVC
* NRESQ32
* NSCHED32
* NSCHEDNT
* NSPLUGIN
* SCAN
* SMSS It drops the Elkern.A virus, which infects all PE .exe files on all available drives and network shares. It looks for local, mapped, and network drives and copies itself to them with a double extension. The double extension is one random for the first (it can choose from .txt .htm .doc .jpg .bmp .xls .cpp .html .mpg and .mpeg) and .exe for the last extension (a typical Klez on one of these drives may look something like Xfile.doc.exe or Yprogam.txt.exe). Klez then searches through the Windows Address book and collects email addresses. The worm has its own SMTP engine. It sends itself to all of these addresses as an attachment with a random file name. On the 13th day of every other month (January, March, May...) the worm will cause some files to become 0 bytes in length.
- Klez is a member of the Techadroids.
|
![[RDF Data]](/fct/images/sw-rdf-blue.png)