SANS SEC504: Hacker Tools, Techniques and Incident Handling — Question 23

The Klez worm is a mass-mailing worm that exploits a vulnerability to open an executable attachment even in Microsoft Outlook's preview pane. The Klez worm gathers email addresses from the entries of the default Windows Address Book (WAB). Which of the following registry values can be used to identify this worm?

Answer options

• A. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
• B. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
• C. HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\Wab File Name = "file and pathname of the WAB file"
• D. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Correct answer: B

Explanation

The correct answer is B, as the Klez worm is typically registered to run automatically under the Run key in the local machine registry. Option A is incorrect because it pertains to RunServices, which is not used for this type of malware. Option C relates to the Windows Address Book and does not directly identify the worm itself. Option D refers to user-specific run settings, which are less relevant for this worm's detection.