An E-mail Thread About: Klez

SUMMARY Immense human and economic resources will be diverted / devoted to defending and recovering from this sustained, periodic, unpredictable series of multi-pronged, asymmetric attacks on the Western Hemisphere.


Dear Team, On my win 98 system, Norton AV (updated 3 April 02 before running it to find klez) did not find the virus. I downloaded fprot v 3.12 and found the virus -- W32/Klez - Klez.E@mm. F-prot cleaning consisted of deleting both the email AND the email subfolder in which I kept it.


W32/Klez - Klez.E@mm Virus Brief


This is a variant in the Klez worm family, which has also been expanded with basic file-infecting capabilities. It carries with it a file infecting virus, W32/Elkern.B.

Spreading mechanism

When the worm is first executed, it copies itself to the Windows System directory using a semi-random name WINK????.EXE and creates a registry key to point to itself so it is loaded during startup. At this time it also writes a file called WQK.EXE (on Win98) or WQK.DLL (on Win 2000) which is located in the Windows System directory. This file is another file infecting virus, W32/ElKern.B.

The worm attempts to send itself to addresses picked from the Windows Address book and other sources. The email subject and body texts are composed out of a number of strings and are variable. The attachment file name is also semi-random, the extension is either PIF, EXE, SCR or BAT.


After detecting and cleaning the klez virus with fprot 3.12, I did a c:/ file and text search and found a wqk.* and wink*.* and Elkern.B matches in my c:/windows/user.dat file. The user.dat file at that moment showed as 689 kb in size.

matched character sequences follow: gwqk.*f iwink*.* jelkern.b&

I tried to cut n paste the user.dat file text, even a segment of it containing just the subject characters, but this action failed - doesn't allow the action. so i snagged a screen capture of the line in which they appear in very close proximity to one another - see attached image: userdat.jpg

Interestingly, there's also a file name there that i can't find reference to anywhere on the web - namely, vbadden.ini, hvbadden, or any variant. i don't know if its related to klez.

Generally, there is no common way to either delete and re-make the user.dat file, nor to even erase or alter its contents.


After detecting and cleaning the klez virus with fprot 3.12, I did a c:/ FILE and TEXT / CHARACTER search for the following klez core patterns:

[ wqk.* ]
[ wink*.* ]
[ Elkern.B ]
[ .txt.exe . ]

No FILES were matched. But the c:/windows/user.dat file contained TEXT / CHARACTER strings which matched klez core patterns:


You can compare these strings to the klez core patterns shown in brackets above in the form [ core pattern ].

Those strings were located in close quarters to each other (in the same two lines) in the user.dat file. Between two of the klez-pattern strings I also found another suspect string:


I did a full scale web search on this string (hvbadden) and came up with absolutely NO RETURNS, which is highly unusual.

Of course, none of the above addresses any potential for exploded or morphed RESIDUAL FILES or character strings which may still be floating around in my system.



I can't speak on McAfee. But the Symantec/Norton AV web site has an exhaustive description of the subject klez virus (w32/klez.e@mm), yet their most recent AV ware, including a live update just prior to running it against klez, didn't even find it, much less clean it.

As I researched a bit, this didn't surprise me. Read the following excerpt from the Symantec (no less) site

When the worm is executed, it copies itself to %System%\Wink[random characters].exe.

NOTE: %System% is a variable. The worm locates the Windows System folder (by default this is C:\Windows\System or C:\Winnt\System32) and copies itself to that location.

It adds the value

Wink[random characters] %System%\Wink[random characters].exe

to the registry key


or it creates the registry key

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Wink[random characters]

and inserts a value in that subkey so that the worm is executed when you start Windows.

The worm attempts to disable on-access virus scanners and some previously distributed worms (such as W32.Nimda and CodeRed) by stopping any active processes. The worm removes the startup registry keys used by antivirus products and deletes checksum database files including:


So the reason Norton didn't find klez is because klez *told* Norton not to find it. AND if I'm reading it correctly, klez may also have blown away Norton's ability to recognize other viruses as well. AND if there are active residual effective klez files still on my system, reinstalling Norton AV might not do anything to change that - klez may still be actively defeating some AV software. Put that in yer pipe and smoke it.

What's more, though the Norton site shows they know about this, they clearly haven't produced any defense for it. You may also put that in yer pipe and suck on it.


Using fprot 3.12, which found klez, I also opted to clean it with that fprot 3.12 option. Fprot 3.12 cleans, at least in part, by deleting not only the file containing the virus, but also THE FOLDER IN WHICH IT IS FOUND. In this case, it found the original virus in my email subfolder, where I was storing the klez-infected email. So, it erased the subfolder (in this case MEMBRANE), but it didn't erase all my incoming or sent or trash emails.

For this reason, I became euphoric over my own anal retentive practice of maintaining as finite and as many email subfolders as possible. If I had not done this, the "broad brush stroke" (folder) deletion would have deleted my entire Inbox... and I would have been... upset. I strongly recommend this practice, if you aren't already doing it.


For the above reasons, and many others, I've been cogitating on the capabilities and threat-levels posed by klez as follows:

klez does NOT only harvest addresses and then engage multi system remailings with variable email subject headers and content/bodies. It also defeats anti virus software, leaving all engaged systems not only infected, but highly vulnerable to subsequent virus launches. This is suspiciously conspicuous timing considering the currently immense spate of spam mailings being experienced worldwide. Specifically, this scenario bears all the earmarks of a globally organized, low intensity, low profile attack. It also comes at a propitious moment in the wake of 911 retaliations... suggesting where I think it may originating.

For example, I trace a US mortgage refinance spam to French and Turkish root hostmasters. Others were traced to China (PRC) and Malaysia. If you don't know the history, culture or current events ties these countries have to Allah's Tangos, you may want to consider taking my word for it for present purposes.


Many mid east nations and tango groups have been involved in planning western attacks actively, and most recently, in the case of the OKC fed bldg. bombing, the WTC bombing, AMEMB bombings in Africa, and the more recent 911 attacks. These attacks are KNOWN to have been on their collective plate for more than a DECADE.

Less than 18 months ago, Aum Shinrikyo (nka Aleph), the Japanese Red Army, some Al Qaeda tangos, and many others, were cross training together in the Bekaa Valley in Lebanon under the tutelage (in part) of an ex-colonel from the Spetzies Vega/Vympel unit. The latter is very simply one of the nastiest broad spectrum infrastructure (roads, bridges, communications systems, power and water supplies) destructionist groups on the planet.

You may want to keep in mind that Aum is the funny little group which sarin-gassed the Tokyo subway a few years back. But what most people do NOT know about Aum is that their true forte is computers. Software, hardware, consulting (to business, government, military and university clients). For example, their software is known to have been buried in a law enforcement system in Japan, where it was harvesting the license plate numbers and car descriptions for vehicles which being used in surveillance on them... even before the sarin gas incident. No one really knows where all the Aum software is functioning, cuz they open and close computer consulting businesses so often its impossible to keep track of all of them. And Aum has, for a decade, recruited their members from the TOP COLLEGES and universities in Japan and RUSSIA. In addition, after the sarin gas incident, Aum was found to have a RUSSIAN ASSAULT HELICOPTER at one of their compounds, along with a couple thousand gas masks bought through a Long Island NY outfit.

Let me do this with Gumby and Pokey simplicity for you: This is very bad juju - mixing the skills of computer experts, with bio and WMD weapons expertise and experience, with improvised explosive and weapons expertise, and banking/money-moving experience, with infrastructure disruption and destruction expertise... and then made profoundly dangerous through transnational alliances with a collectively global cooperative reach... GET IT?


Okay, okay - so here's where I think it stands.

I think klez is a small wart on the ass of a current global asymmetric attack on us infidels. I think its a direct escalation based on our collective response to 911. And I think its just beginning.

I think you can look for the following in periodic, unpredictable fusillades to increase in frequency, type, effect and scope:

Broad scale virus and DoS attacks on systems and ISPs Suicide attacks including bombings, shootings and bio incidents Economic espionage and economic blackmailing Drug and weapons trafficking

These things will disrupt e-communications, increase consumer prices, increase taxes, dampen the public psyche, and divert govt. attention from their primary tasks of public service.

What will suffer?

Your peace of mind
Sweeping social intolerance and extremism
Sweeping arch conservatism in governmental action
School budgets (even more than present)
Public services by governmental units

But that's just my opinion - I could be wrong.

Find out more about why -- Klez CAN NOT be Cleaned From Your Computer

Back To The Study

2002 by Doc for the Help Desk
This article may not be redistributed without our permission.