|Place of Origin||China|
|File Type(s)||.exe, .dll, .scr|
|Infection Length||3,326 bytes|
Elkern is a virus that was often spread with the Klez worm. In a few ways, it behaves like the CIH virus. The virus is also encrypted and polymorphic.
When a file infected with Elkern is executed, the virus is copied into memory, assembling its parts from the different places of the file the parts are in. It then decrypts itself. Elkern checks KERNEL32.DLL for the addresses of 27 API functions. The virus checks for the API function IsDebuggerPresent, using a fixed API address that only works under Windows 98. If the Windows version is anything but 98, the virus crashes or has problems. It copies the host file to the system folder under the name wqk.exe. In NT-based versions it tries to copy itself as wqk.dll. It sometimes works under Windows 2000.
Elkern creates its own registry key under the local machine run key to make sure the virus runs when the system starts. It stays in memory while looking for files to infect. The virus can infect files on computers that are connected to the same network. It searches for cavities in the host file to infect, similar to CIH, reducing the likelihood that it will increase the file's size and add the virus code that does not fit to the end of the file. It will increase the file's size if there is not enough space. Some sections of the virus will be encrypted.
The virus has a payload that activates on the 13th of March and September. There is a small chance the payload will be activated any time an infected file is executed. It destroys files on all mapped and locally connected drives.
Some new variants were dropped by later variants of Klez. Klez.E dropped Elkern.B. These variants were not too different from the original. The main difference was simply the virus's size. Elkern.B contained a bug also found in the original that causes it to crash under some systems. Elkern.C, which came with Klez.H, fixes this bug. It also copies itself to the Program Files folder under a random name.
Elkern may be the work of the same coder or coders of Klez. While it is possible that a worm could become infected with a virus and carry it around in all subsequent versions, the pairing of Klez variants with Elkern variants makes it look intentional. It likely comes from China around Guangdong.
As Elkern was dropped by Klez, it was present pretty much wherever the worm was. It is possible that some of the damage attibuted to Klez was actually the work of Elkern, and Klez got the credit because its email spreading capabilities made it more prominent. Klez had no destructive payload, but Elkern did.
Atli Gudmundsson. Symantec, W32.ElKern.3326. 2007.02.13
F-Secure Antivirus, Virus:W32/Elkern.