United Kingdom
  • UK Support
  • My Account
  • Renewal Centre

Bitdefender®

  • Home
  • Home Users
  • Small Business
  • Corporate Business
  • ISPs
  • News
  • About Us
  • Partners
  • Home
  • Defense Center
  • Virus Information for - Win32.Elkern.A
BitDefender Products
  • Home Products
  • BitDefender for your Business
About BitDefender
  • About Us
  • Company Overview

Win32.Elkern.A

( N/A )
Spreading: low
Download removal tool
Damage: very low
Size: N/A
Discovered: 2000 Jan 01

SYMPTOMS:

None







TECHNICAL DESCRIPTION:

This virus is a file infector that spreads with the help of Win32.Klez.A@mm, being included in this worm. It runs on 98 and ME Windows platforms.

When executed, the virus copies the host in the Windows system directory under the name wqk (extension .exe or .dll) and writes the following key in the registry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Wqk]

using as value the path to the copied file, allowing it to be reactivated every time Windows is started. The virus remains active, hiding from the application list, and searching for files to infect.

File infection is accomplished searching for cavities in the host file to avoid increasing file size, and if this cannot be done then the last section of the executable will be extended to include the virus body. At the same time, the virus is capable of infecting the local network.

The spreading potential of the virus is increased because the virus is also transmitted by the Win32.Klez.A@mm worm, which is a mass-mailer and network infector.

In order to make detection more difficult, the virus uses some of its body layers in encrypted form, and the names of the system functions it uses are not included in it, integrating only a checksum associated to each name. In order to use these functions it calculates a checksum for each name of the system function, and when the virus finds this checksum in its list, it takes out the function's address to use it.

Removal instructions:

The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus.

Important: You will have to close all applications before running the tool (including the antivirus shields) and to restart the computer afterwards. Additionally you'll have to manually delete the infected files located in archives and the infected messages from your mail client.

The BitDefender AntiElkern.exe tool does the following:
  • it detects all the known Elkern versions;

  • it disinfects the files detected as Win32.Elkern.A (A,B,C,D,E,G,H);

  • it kills the process from memory;

  • it repairs the Windows registry.


    • You may also need to restore the affected files.

    For preventing this virus to use the IFRAME exploit apply the patch Microsoft released
    for Internet Explorer 5.0 and 5.5.

    To prevent the virus from replicating itself from infected machines to clean machines, you should try to disinfect all computers in the network before rebooting any of them, or unplug the network cables.

    ANALYZED BY:

    Costin Ionescu BitDefender Virus Researcher

    © 2010 BitDefender

    • Site Map
    • Legal Terms
    • Site Feedback
    • Global Sites
    • Privacy Policy

    For Home Users

    • BitDefender® Total Security 2011
    • BitDefender® Internet Security 2011
    • BitDefender® Antivirus Pro 2011
    • BitDefender 2011 Product Comparison

    For Small Business

    • For Small Business
    • BitDefender® Small Business Security for Desktops and File Servers
    • BitDefender® Small Business Security for Desktops, File Servers, and Exchange

    News

    • BitDefender Finds IT Security Employees Likely to Disclose Sensitive Information on Social Networks
    • BitDefender Internet Security 2010 Receives Esteemed AV-Test Certification
    • BitDefender launches Total Security 2011 today to offer consumers a simplified and enhanced way to safeguard their online world

    Tools & Resources

    • Free Online Virus Scanner
    • Renew Product Licence
    • Download Trial Versions
    • Download Datasheets