GIAC Certified Incident Handler (GCIH) — Question 89

The Klez worm is a mass-mailing worm that exploits a vulnerability to open an executable attachment even in Microsoft Outlook's preview pane. The Klez worm gathers email addresses from the entries of the default Windows Address Book (WAB). Which of the following registry values can be used to identify this worm?

Answer options

• A. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
• B. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
• C. HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\Wab File Name = "file and pathname of the WAB file"
• D. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Correct answer: C

Explanation

The correct answer is C because it points directly to the Windows Address Book, which the Klez worm utilizes to gather email addresses. Options A and B are related to startup programs and do not specifically indicate the presence of the Klez worm. Option D is also related to startup items and does not directly pertain to the WAB, making it incorrect.