ViRobot/HAURI

I-Worm.Win32.Klez.H
種類
I-Worm
危険度/拡散度
/
発見日
[korea] 2002-04-17 [Foreign] 2002-04-17
Virobot対応
2002-04-18.00 [Able to detect & repair]
I-Worm.Win32.Klez.H spreads via emails and shared folders that have read or write access.
It exploits the vulnerabilty in Outlook and Outlook Express. To prevent this, please download the patches from Microsoft.

When spreading via emails, it sends the email with its own SMTP. The email addresses are obtained from Windows Address Book.

The following is the list of email subject:

how are you
lets be friends
darling
so cool a flash,enjoy it
your password
honey
some questions
please try again
welcome to my hometown
the Garden of Eden
introduction on ADSL
meeting notice
questionnaire
congratulations
sos!
japanese girl VS playboy
look,my beautiful girl friend
eager to see you
spice girls vocal concert
japanese lass sexy pictures
Undelivarable mail-"Random word"
Returned mail-"Random word"
a [**] game
a [**] tool
a [**] website
a [**] patch
[**] removal tools


** can be any of these:

new, funny, nice, humour, excite, powful, WinXP, IE 6.0, W32.Elkern, W32.Klez.E, Symantec, Mcafee, F-Secure, Sophos, Trendmicro, Kaspersky



[How it spreads]

I-Worm.Win32.Klez.H spreads via emails and shared folders that have read or write access.
It exploits the vulnerabilty in Outlook and Outlook Express. To prevent this, please download the patches from Microsoft.

When spreading via emails, it sends the email with its own SMTP. The email addresses are obtained from Windows Address Book.

The following is the list of email subject:

how are you
lets be friends
darling
so cool a flash,enjoy it
your password
honey
some questions
please try again
welcome to my hometown
the Garden of Eden
introduction on ADSL
meeting notice
questionnaire
congratulations
sos!
japanese girl VS playboy
look,my beautiful girl friend
eager to see you
spice girls vocal concert
japanese lass sexy pictures
Undelivarable mail-"Random word"
Returned mail-"Random word"
a [**] game
a [**] tool
a [**] website
a [**] patch
[**] removal tools


** can be any of these:

new, funny, nice, humour, excite, powful, WinXP, IE 6.0, W32.Elkern, W32.Klez.E, Symantec, Mcafee, F-Secure, Sophos, Trendmicro, Kaspersky


Upon execution, it drops "WINK*.EXE" and modifies the registry:

HKMSoftwareMicrosoftWindowsCurrentVersionRun
Wink**** = wink****.exe (**** are random characters)



[Payloads]

It disables the following anti-virus processes and may deletes programs or files associated with the following strings.

_AVP32_AVPCC
NOD32
NPSSVC
NRESQ32
NSCHED32
NSCHEDNT
NSPLUGIN
NAV
NAVAPSVC
NAVAPW32
NAVLU32
NAVRUNR
NAVW32
_AVPM
ALERTSVC
AMON
AVP32
AVPCC
AVPM
N32SCANW
NAVWNT
ANTIVIR
AVPUPD
AVGCTRL
AVWIN95
SCAN32
VSHWIN32
F-STOPW
F-PROT95
ACKWIN32
VETTRAY
VET95
SWEEP95
PCCWIN98
IOMON98
AVPTC
AVE32
AVCONSOL
FP-WIN
DVP95
F-AGNT95
CLAW95
NVC95
SCAN
VIRUS
LOCKDOWN2000
Norton
Mcafee
Antivir
TASKMGR


It scans for the above strings and deletes them if their values are found in the registry key:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun

It deletes the following anti-virus related files:

ANTI-VIR.DAT
CHKLIST.DAT
CHKLIST.MS
CHKLIST.CPS
CHKLIST.TAV
IVB.NTZ
SMARTCHK.MS
SMARTCHK.CPS
AVGQT.DAT
AGUARD.DAT


The worm will spread via shared folders with read/write access.
It drops itself with the following extensions:

EXE
PIF
COM
BAT
SCR
RAR


If it has a double extension, the 1st extension will be one of the following:

MP8
EXE
SCR
PIF
BAT
TXT
HTM
HTML
WAB
DOC
XLS
CPP
C
PAS
MPQ
MPEG
BAK
MP3


Get the virus definitions of 18 April 2002 or above.

Delete and do not open any emails with the subject listed below:

how are you
lets be friends
darling
so cool a flash,enjoy it
your password
honey
some questions
please try again
welcome to my hometown
the Garden of Eden
introduction on ADSL
meeting notice
questionnaire
congratulations
sos!
japanese girl VS playboy
look,my beautiful girl friend
eager to see you
spice girls vocal concert
japanese lass sexy pictures
Undelivarable mail-"Random word"
Returned mail-"Random word"
a [**] game
a [**] tool
a [**] website
a [**] patch
[**] removal tools


** can be any of these:

new, funny, nice, humour, excite, powful, WinXP, IE 6.0, W32.Elkern, W32.Klez.E, Symantec, Mcafee, F-Secure, Sophos, Trendmicro, Kaspersky


[Manual removal]

1. Delete the virus file in the Windows System folder.

** System folder in Windows **
- For Windows 95/98/ME : C:WindowsSystem
- For Windows NT/2000 : C:WinntSystem32
- For Windows XP : C:WindowsSystem32

2. Delete the value in the following registry key:

HKMSoftwareMicrosoftWindowsCurrentVersionRun
Value : wink*** (*** are random characters)

3. Delete and do not open any suspicious emails.


[Obtain patches from Microsoft]

* Outlook Express
* Outlook 2000
* Outlook 2002 (Office XP)