Elkern.A is activated by simply viewing the message in Outlook's Preview Pane. In order to do this, it exploits a vulnerability in Internet Explorer (versions 5.01 and 5.05).

 The effects of Elkern.A are:

• It searches for executable files in PE format.
• It will infect all executable files in PE format that it finds. 

Elkern.A will act in the following pattern when it begins infecting:

• It will prevent file size in infected files from changing by using a cavity technique.
• Create the file WQK.EXE in the Windows Directory
• Create the following entry in the Windows Registry:
  
  HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
  These modifications will allow Elkern.A to activate each time the computer is started.

How does it get into computers?

• Elkern.A reaches computers inside the Klez worm, as it cannot spread by itself.The subject of the e-mail message varies each time.
• As it is dropped by Klez, Elkern.A is automatically sent to all the contacts in the Address Book.

How is it activated?

• Elkern.A activates when the message in which it is sent is viewed in Outlook’s Preview Pane. It does this by exploiting a known vulnerability in Internet Explorer (versions 5.01 and 5.5). Microsoft has already released the patch that fixes this problem.
• When the message carrying the Klez worm is opened.
• When any file attached to the e-mail message carrying the Klez worm is opened or run.

How does it spread?

• As Elkern.A is included in Klez, and is automatically sent to all of the contacts in the Address Book,via an SMTP connection.