Allow F-Secure Anti-Virus to disinfect the relevant files.
For more general information on disinfection, please see Removal Instructions.
Video: Klez Removal
We have produced a video showing step-by-step how to get rid of the Klez worm: http://www.f-secure.com/virus-info/video/klez.ram
Note: The video requires RealPlayer to view. You may download RealPlayer from: http://www.real.com/player/index.html?lang=en
Worm:W32/Klez is a mass-mailer worm which drops a polymporphic EXE virus called ElKern.
On some systems the worm is able to self-launch itself when an infected e-mail is viewed (for example, with Outlook and IE 5.0 or 5.01). To do this the worm uses a known vulnerability in IE that allows execution of an email attachment. This vulnerability is fixed and a patch for it is available on Microsoft site: http://www.microsoft.com/windows/ie/downloads/critical/q323759ie/default.asp
This worm/virus combo apparently originated from Asia, possibly China or Hong Kong. First infections were located early on the morning of 26th of October, 2001.
The e-mails sent by Klez can have a wide variety of different subject fields such as:
The message has no text in body and the attachment name is random.
The worm part contains a hidden message targeted towards anti-virus researchers. Most e-mail clients will not show this message. It looks like this:
The Klez worm copies itself to root directories of local and network drives with a random name and with double extension, such as .TXT.EXE.
Klez.D appeared in the wild on 11th of November, 2001. This variant has a few changes compared to the previous versions. First of all it looks for e-mail addresses in the user's ICQ database files also. This means that anyone in the user's ICQ contact list is a potential recipient of the worm.
Another change in the e-mail part is that the attachments can now have .EXE and .PIF extension also. It was only .EXE with the previous versions. When the worm is copied to the Windows system directory it's nownamed as 'WinSvc.exe'. The same name is used in the registry run key:
This version of the worm will try to locate and terminate processes that contain the words like 'Nimda', 'CodeRed', 'Code Red', 'CodeBlue', 'Code Blue'.
It also has a string inside that is never displayed:
F-Secure Anti-Virus detects and stops both Klez and Elkern. Detection was added with the update shipped on 26th of October around 15 o'clock GMT. The update with detection for D variant was published on 12th of November 09:00GMT.
Klez.E is a new variant of Klez worm that was first discovered on 17th of January 2002. The worm is "version 2.0" according to its author's classification and has several new features comparing to the older variants. The worm still has bugs that remained from previous versions.
The differences from the original version are as follows:
Here are screenshots of Klez.E worm when it arrives in e-mail:
Just like the other variants of Klez this one uses the Incorrect MIME Header (MS01-020) vulnerabilty to send attachments that are automatically executed when the message is opened. See the link to Microsoft security advisory above.
Recipient e-mail addresses are collected from the Windows Address Book as well as from ICQ user databases. The worm uses it's own SMTP routines so it can send e-mail without an e-mail client.
Important Note: The e-mails sent by Klez.E worm often have faked sender's address. The worm randomly picks sender's address from web pages, ICQ databases or Windows Address Books. This means that if you get Klez.E worm in e-mail, it's quite likely that it was NOT sent to you by the person listed in the 'From' field of e-mail message (sender's address).
Detection of Klez.E worm is available in the updates published on 17th of January 2002.
Klez.F is a minor variant of Klez.E worm. It appeared in the wild in April 2002.
Klez.G worm appeared on 29th of January 2002. This variant is very close to Klez.E variant. The worm drops Elkern virus 1.1, identical to the one that was dropped by Klez.E variant. Only a few differences have been noticed in G variant:
It should be noted that the Elkern virus works on Windows 2000 only due to dumb luck as there's a serious bug in the virus code that usually makes it crash just after installation into memory.
The worm still corrupts a lot of system files including DLL and VXD ones that often makes a system unusable after restart. The corruption happens because the worm tries to preserve the time/date stamp of a file it tries to infect and it saves this value into EXE file header without bothering to check if its a PE, NE or LE header. So NE and LE headers get corrupted and a file usually becomes unusable after that.
Like Klez.E variant, the new variant can send itself with empty messages with one the following subjects:
Also the worm sometimes sends messages pretending to be infection removal tools from a few anti-virus companies. For example:
Subject: removal tools Body: is a dangerous virus that spread through email. give you the removal tools For more information,please visit http://www.
.com The can be 'Symantec', 'Mcafee', 'F-Secure' or 'Sophos'. The can be 'W32.Elkern' or 'W32.Klez'.
Do not run attachments from such messages!
Also the worm can pretend to be a game, it can send itself (usually as SETUP.EXE) with the a message:
This is a special humour game This game is my first work. You're the first player. I expect you would like it.
The first and last lines can vary. This message will be displayed only by e-mail clients that ignore IFrame trick used by the worm to automatically launch itself from an e-mail message. The worm can also send 'congratulations' on one of the following holidays:
Detection of Klez.G worm is available in the updates published on 30th of January 2002.
This worm variant appeared in the wild on 17th of April 2002. It is quite close to E, F and G variants of Klez.