The subject lines and message bodies, for instance, have been expanded and made even more random than previous versions, Sharon Ruckman, director of Symantec's security response team, said to InfoWorld. The virus also seems to have been designed to stop or disable a greater range of antivirus tools than older versions. In addition, the Elkern virus it carries has been modified to do more damage.
Some of the active applications it tries to find are:
_AVP32, _AVPCC, _AVPM, ALERTSVC, AMON, AVP32, AVPCC, AVPM, N32SCANW, NAVAPSVC, NAVAPW32, NAVLU32, NAVRUNR, NAVW32, NAVWNT, NOD32, NPSSVC, NRESQ32, NSCHED32, NSCHEDNT, NSPLUGIN, SCAN, SMSS
Worm can also be detected by a registry key it creates to start itself:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Krn132 = %System%\Krn132.exe
The worm searches several registry keys for links to applications and then it tries to infect them.
These are some of the sentences that it ads to message bodies of infected e-mails.
- I'm sorry to do so,but it's helpless to say sory.
- I want a good job,I must support my parents.
- Now you have seen my technical capabilities.
- How much my year-salary now? NO more than $5,500.
- What do you think of this fact?
- Don't call my names,I have no hostility.
- Can you help me?
- InfoWorld: New variant of Klez worm detected
- News.com: New Klez worm squirms across Internet
- Kaspersky Labs: I-Worm.Klez.a-h (Klez Family)
- Sophos: Sophos users already protected against Klez.H
- McAfee: W32/Klez.h@MM Removal Instructions