Problem solve Get help with specific problems with your technologies, process and projects.

The ability of W32.Elkern.4926 to pass through Admin shares in Windows

Can the W32.Elkern.4926 virus pass through Administrative shares in a Windows environment?

All W95/Elkern variants were renamed to W32/Elkern. A new variant was recently discovered (W32/Elkern.cav.c), which is dropped by a new W32/Klez variant, W32/Klez.h. W32/Elkern.cav.c detection and removal will be included in the 4198 DATs (www.mcafee.com). Current DATs often detect these samples as W32/NGVCK.a or New Win32 with program heuristics.

This virus is network-aware and can spread through a local network. It also contains a payload to overwrite files with zeros while maintaining the original file size. This can result in critical files being overwritten and thus an inability to load the operating system after infection occurs.

The virus can and does infect its own carrier -- W32/Klez@MM worm. That is why files specific to both W32/Klez@MM and for W32/Elkern.cav are likely to coexist on the same computer. If you suspect W32/Elkern.cav virus on your computer, you are strongly advised to read a description of W32/Klez@MM.

Aliases: Elkern (F-Secure), W32.ElKern.3326 (NAV), W32/Elkern.cav.c, W95/Elkern

So, can this bypass the Admin share? Most likely. Does it do it as part of the infection? That is not evident. Can it infect the Admin Share? Yes.

For more information on this topic, visit these other SearchSecurity.com resources:
Featured Topic: Klez cleanup
News & Analysis: Old viruses never really go away
Featured Topic: Your favorite virus tips

This was last published in June 2002

Dig Deeper on Information security policies, procedures and guidelines

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.