All W95/Elkern variants were renamed to W32/Elkern. A new variant was recently discovered (W32/Elkern.cav.c), which is dropped by a new W32/Klez variant, W32/Klez.h. W32/Elkern.cav.c detection and removal will be included in the 4198 DATs (www.mcafee.com). Current DATs often detect these samples as W32/NGVCK.a or New Win32 with program heuristics.
This virus is network-aware and can spread through a local network. It also contains a payload to overwrite files with zeros while maintaining the original file size. This can result in critical files being overwritten and thus an inability to load the operating system after infection occurs.
The virus can and does infect its own carrier -- W32/Klez@MM worm. That is why files specific to both W32/Klez@MM and for W32/Elkern.cav are likely to coexist on the same computer. If you suspect W32/Elkern.cav virus on your computer, you are strongly advised to read a description of W32/Klez@MM.
Aliases: Elkern (F-Secure), W32.ElKern.3326 (NAV), W32/Elkern.cav.c, W95/Elkern
So, can this bypass the Admin share? Most likely. Does it do it as part of the infection? That is not evident. Can it infect the Admin Share? Yes.
For more information on this topic, visit these other SearchSecurity.com resources:
Featured Topic: Klez cleanup
News & Analysis: Old viruses never really go away
Featured Topic: Your favorite virus tips
This was first published in June 2002