GCIH · Question #264
The Klez worm is a mass-mailing worm that exploits a vulnerability to open an executable attachment even in Microsoft Outlook's preview pane. The Klez worm gathers email addresses from the entries of
The correct answer is C. HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\Wab File Name = "file and. The Klez worm specifically targets the Windows Address Book (WAB) registry key to harvest email addresses for mass-mailing. The registry path for the WAB file location is the key indicator of this worm's presence.
Question
The Klez worm is a mass-mailing worm that exploits a vulnerability to open an executable attachment even in Microsoft Outlook's preview pane. The Klez worm gathers email addresses from the entries of the default Windows Address Book (WAB). Which of the following registry values can be used to identify this worm?
Options
- AHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
- BHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- CHKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\Wab File Name = "file and
- DHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
How the community answered
(31 responses)- A3% (1)
- B6% (2)
- C90% (28)
Why each option
The Klez worm specifically targets the Windows Address Book (WAB) registry key to harvest email addresses for mass-mailing. The registry path for the WAB file location is the key indicator of this worm's presence.
HKEY_LOCAL_MACHINE\...\RunServices is used to configure services that start automatically and is not specific to Klez or WAB harvesting.
HKEY_LOCAL_MACHINE\...\Run is a common persistence mechanism used by many malware families but does not uniquely identify Klez or its WAB harvesting activity.
The Klez worm reads email addresses from the Windows Address Book (WAB) and stores or references the WAB file path under HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\Wab File Name. This registry key directly corresponds to the worm's documented behavior of harvesting addresses from the default WAB to propagate via mass-mailing. Forensically, the presence or modification of this key is a distinctive indicator of Klez infection.
HKEY_CURRENT_USER\...\Run is a user-level autorun key used for persistence by many programs and malware, but it does not identify the WAB-harvesting behavior that distinguishes Klez.
Concept tested: Klez worm registry-based WAB email harvesting indicator
Source: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Win32%2FKlez
Topics
Community Discussion
No community discussion yet for this question.