Help with detection and removal of Klez virus and variants

W32.Klez.E@mm
Discovered on: January 17, 2002
New variants in March and April 2002

Click here to return to Cloudeight Virus Help Page

Because this virus can come in so many forms, it is important that you do not open any attachments that are sent to you unless you know for sure the person it is from meant to send to you. Ask before opening! Also, if you have an outdated, unpatched version of Outlook Express, you can get forms of this virus without opening any attachment. Be sure you have the lastest 6.x version of Internet Explorer/Outlook Express as you are protected from this virus executing itself from a preview pane or opened mail; if you are using 5.x versions, you need to update or obtain the patch from Microsoft. Information and a patch for the vulnerability are available at https://www.microsoft.com/technet/security/bulletin/MS01-020.asp

IMPORTANT! This W32/Klez variant has the ability to spoof the email FROM: field. The senders address used by the virus, may be one that was found on the infected user's system. Thus, it may appear that you have received this virus from one person, when it was actually sent from a different user's system. Viewing the entire email header will display the actual senders address. (Information from McAfee website)

Remember, Cloudeight does not send any kind of attachments to any email. As you can imagine we have been added to hundreds of thousands of personal address books, and since this virus will take a name at random and put it in the "from" field of an infected mail, do not trust any attachments even if you think it is from a reliable source!

Never open an attachment even if the sender is your best friend unless you were expecting it and you know what it is. Even then you should save it to your desktop and scan it with an updated anti-virus program before opening it.

****************************

Symantec AntiVirus has a removal tool for Klez. Click here to download this tool. For more information from Symantec on how to use the removal tool, Click here.

A reminder: If you're using Anti-Virus software which has not been updated or has expired, you are not protected. If you need a good free anti-virus program with free automatic updates, click here. Do not use email or the Web without anti-virus software and the latest patches from https://windowsupdate.microsoft.com/ . If you do you will help spread virus, Trojans, and worms, and you will stand a good chance of losing all your files and other data. Please don't take chances. Let's all join together to be part of the solution and not part of the problem.If you want to check your system right now, online, free, visit https://housecall.antivirus.com/ .

Information below obtained from Symantec

W32.Klez.E@mm is similar to W32.Klez.A@mm. It is a mass-mailing email worm that also attempts to copy itself to network shares. The worm uses random subject lines, message bodies, and attachment file names.

The worm exploits a vulnerability in Microsoft Outlook and Outlook Express in an attempt to execute itself when you open or even preview the message in which it is contained. Information and a patch for the vulnerability are available at https://www.microsoft.com/technet/security/bulletin/MS01-020.asp.

The worm overwrites files and creates hidden copies of the originals. In addition, the worm drops the virus W32.Elkern.3587, which is similar to W32.ElKern.3326.

The worm attempts to disable some common antivirus products and has a payload which fills files with all zeroes.

****************

Characteristics. Information obtained from Sophos

This worm searches for email address entries in the Windows address book but uses its own mailing routine.

The email will have the following characteristics:

Subject line: either random or chosen from the list

These are listed from Sophos:

How are you
Let's be friends
Darling
Don't drink too much
Your password
Honey
Some questions
Please try again
Welcome to my hometown
the Garden of Eden
introduction on ADSL
Meeting notice
Questionnaire
Congratulations
Sos!
japanese girl VS playboy
Look,my beautiful girl friend
Eager to see you
Spice girls' vocal concert
Japanese lass' sexy pictures

The following are from list obtained from MacAfee

Subject: Document End
Subject: Happy Lady Day
Subject: From
Subject: Eager to see you
Subject: Returned mail--"Document End "
Subject: HEIGHT
Subject: A WinXP patch
Subject: Hi,spice girls' vocal concert
Subject: Happy nice Lady Day
Subject: Have a humour Lady Day
Subject: Happy good Lady Day
Subject: ALIGN
Subject: Have a good Lady Day
Subject: Undeliverable mail--"IIS services with this Web administration tool."
(the virus can also send mails with empty Subject and/or body)

Message text: Message text is randomly composed by the worm but the message can also be without a text.

Attached file: Randomly named with extension .PIF, .SCR, .EXE or .BAT.

The sender address which appears in a message is chosen from a list inside the worm.

W32/Klez-E attempts to disable several anti-virus products and delete some anti-virus related files.

For more information on Klez variants from Symantec, click here.

For more information on Klez variants from McAfee, click here.

For more information on Klez variants from Sophos, click here.