Ask the Expert

The ability of W32.Elkern.4926 to pass through Admin shares in Windows

Can the W32.Elkern.4926 virus pass through Administrative shares in a Windows environment?

    Requires Free Membership to View

All W95/Elkern variants were renamed to W32/Elkern. A new variant was recently discovered (W32/Elkern.cav.c), which is dropped by a new W32/Klez variant, W32/Klez.h. W32/Elkern.cav.c detection and removal will be included in the 4198 DATs ( Current DATs often detect these samples as W32/NGVCK.a or New Win32 with program heuristics.

This virus is network-aware and can spread through a local network. It also contains a payload to overwrite files with zeros while maintaining the original file size. This can result in critical files being overwritten and thus an inability to load the operating system after infection occurs.

The virus can and does infect its own carrier -- W32/Klez@MM worm. That is why files specific to both W32/Klez@MM and for W32/Elkern.cav are likely to coexist on the same computer. If you suspect W32/Elkern.cav virus on your computer, you are strongly advised to read a description of W32/Klez@MM.

Aliases: Elkern (F-Secure), W32.ElKern.3326 (NAV), W32/Elkern.cav.c, W95/Elkern

So, can this bypass the Admin share? Most likely. Does it do it as part of the infection? That is not evident. Can it infect the Admin Share? Yes.

For more information on this topic, visit these other resources:
Featured Topic: Klez cleanup
News & Analysis: Old viruses never really go away
Featured Topic: Your favorite virus tips

This was first published in June 2002

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: