Exam GCIH All QuestionsBrowse all questions from this exam
Question 21

The Klez worm is a mass-mailing worm that exploits a vulnerability to open an executable attachment even in Microsoft Outlook's preview pane. The Klez worm gathers email addresses from the entries of the default Windows Address Book (WAB). Which of the following registry values can be used to identify this worm?

    Correct Answer: B

    The Klez worm is known to modify the system startup to ensure it starts when the computer boots up. This is typically achieved by adding or modifying a value under the 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run' registry key. This location in the registry is often targeted by malware to achieve persistence. Identifying this worm can be done by checking for suspicious entries within this registry value.

Discussion
GQOption: B

I doubt C is the answer, Klez Worm gathers email addresses from the entries of the default Windows Address Book (WAB). The path and filename of these are identified through HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\Wab File Name = “<file and pathname of the WAB file>. No changes are done to this registry entry. However it does disables the permanent protection of the antivirus program by deleting the following entry from the Windows Registry: HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run