Skip navigation.
Home

win_klez comparison

win_klez

So for this entry I'm doing something slightly different. 
I am going to compare two files which I think are variants
 of the same malware and post the results.

Another interesting thing to look out is function graph comparisons:

Klez_file_1:



Klez_file_2:


As you can see there is almost no difference visible. I conclude that these are two variants of the same malware.

a/v: http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.a@mm.html

md5sum: 7cd593c06be52b070817ed66f898425c  W32.Klez-G
md5sum: a8f90273ebb4168f5affc678aa90909a  W32.Klez.gen@MM
sha1sum: 33aa5372dbab152537df1e7b8d858d230476a25f  W32.Klez-G
sha1sum: 332ea7ae7d07bb3e760598c76994d5f2e9e13af5  W32.Klez.gen@MM
info: Dec 19 19:24 W32.Klez-G
info: Dec 19 19:24 W32.Klez.gen@MM

bdiffm:
01  W32.Klez-G                                          0x0001752c  0xb7f4d000
02  W32.Klez.gen@MM                                     0x00015c3a  0xb7f32000

Comparing 2 files.

    |    01    02
----+------------
 01 |  100%   83%
 02 |        100%


packerscan: 

Scanning -> C:\malware\klez\W32.Klez.gen@MM.exe
File Type : Exe, Size : 89146 (015C3Ah) Bytes
-> File has 7210 (01C2Ah) bytes of appended data starting at offset 014010h
[!] File appears to have no protection or is using an unknown protection
- Scan Took : 0.938 Seconds

Scanning -> C:\malware\klez\W32.Klez-G.exe
File Type : Exe, Size : 95532 (01752Ch) Bytes
-> File has 13596 (0351Ch) bytes of appended data starting at offset 014010h
[!] File appears to have no protection or is using an unknown protection
- Scan Took : 0.953 Seconds


bindiff:

Unmatched functions:

  4030d4   6   9   7 sub_4030D4 
  40317d   6   9   7 sub_40317D 
  404138   3   2   3 sub_404138 
  404180   3   2   3 sub_404180 


So there are very few unmatched functions between these two files.



The attached files are more than just similar, they are the same

I think that you accidentially attached the same file to this post, twice. This is the attached one:
7cd593c06be52b070817ed66f898425c win_klez_2.exe

I don't really have anything else to say about this, yet, that the symantic page didn't already say. ClamAV says that it's "Worm.Klez.H".

--
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*