Klez.E is a new variant of Klez worm that was first discovered on
17th of January 2002. The worm is "version 2.0" according to its
author's classification and has several new features comparing to
the older variants. The worm still has bugs that remained from
The differences from the original version are as follows:
1. The worm installs itself to Windows System directory as
WINKxxxx.EXE file. The 'xxxx' can be 2-3 random letters. The worm
creates an autostarting key for its file in System Registry.
2. The worm now has file infection capabilities. When infecting
an EXE file, the worm overwrites it and creates a backup file
with the same name as the infected file, but with a random
extension with hidden, system and read-only attributes. When
the infected file is run, the worm extracts the original program
from a backup file with its original name plus 'MP8' and runs it.
After the program terminates, the worm deletes it. The worm
doesn't infect files with the following names:
This type of infection is called 'companion infection'.
3. The worm has network spreading capabilities. The worm
enumerates network resources and copies itself to remote drives
twice - once as an executable file with single or double
extension, and second time as a RAR archive that can have single
or double extension as well. The RAR archive contains the worm's
executable file with one of the following names:
The first extension of the RAR archive or of the worm's
executable can be:
The second or the only extension of the worm's executable file
The dropped RAR archive and worm's executable file name is either
random or belongs to a file, that a worm found on a host system.
So it can be for example QQ.PAS.EXE , KERNEL.MP3.PIF ,
DOCUMENT.SCR and so on.
4. The worm kills tasks of anti-virus and security software as
well as tasks of several other worms - Nimda, Sircam, Funlove and
CodeRed. The worm opens processes and looks for the specific text
strings there. If a specific text string is found in a process,
the worm terminates this process. The strings the worm looks for
Fun Loving Criminal
Also the worm terminates processes with the following names:
_AVP32 _AVPCC NOD32 NPSSVC NRESQ32 NSCHED32 NSCHEDNT
NSPLUGIN NAV NAVAPSVC NAVAPW32 NAVLU32 NAVRUNR NAVW32
_AVPM ALERTSVC AMON AVP32 AVPCC AVPM N32SCANW NAVWNT
ANTIVIR AVPUPD AVGCTRL AVWIN95 SCAN32 VSHWIN32 F-STOPW
F-PROT95 ACKWIN32 VETTRAY VET95 SWEEP95 PCCWIN98 IOMON98
AVPTC AVE32 AVCONSOL FP-WIN DVP95 F-AGNT95 CLAW95 NVC95
SCAN VIRUS LOCKDOWN2000 Norton Mcafee Antivir TASKMGR
5. The worm removes autostarting Registry keys of security and
anti-virus software thus disabling this software or parts of it
completely on next Windows startup.
6. The worm affects anti-virus checksum files and ingegrity
checker databases with the following names:
7. The worm drops a new version of Elkern virus ("version 1.1"
according to author's classification) that is also known as
Win32.Klez.b. Please see Elkern description for more info, the
link to it is on the top of this page.
8. The worm can corrupt binary executables and data files.
9. The worm contains the following text strings that are never
Win32 Klez V2.0 & Win32 Elkern V1.1,(There nick name is Twin Virus*^__^*)
Copyright,made in Asia,announcement:
1.I will try my best to protect the user from some vicious
virus,Funlove,Sircam,Nimda,CodeRed and even include W32.Klez 1.X.
2.Well paid jobs are wanted
3.Poor life should be unblessed
4.Don't accuse me.Please accuse the unfair sh*t world
10. The worm has a complex payload routine. It works as a
separate thread and constantly checks system date. If the month
number is odd (1, 3, 5, etc.) and the date is equal to 6 then the
worm proceeds further. It then checks if the month number is
equal to 7 (July) or 1 (January) and sets a special flag if it
is. Then the main payload routine is activated. It looks for all
files on all local and network drives. If the month is not 1 or 7,
the routine only affects files with the following extensions:
Otherwise all files are affected. The worm overwrites found files
with random data thus destroying their content.
11. E-mail messages sent by Klez.e are composed according to really
complex rules that makes possible of creating a large number of different
messages. It can create sentences from different parts like:
'The attachment is a very dangerous virus that spread trough e-mail.'
'The file is a special dangerous virus that can infect on Win98/Me/2000/XP.'
Just like the other variants of Klez this one uses the Incorrect
MIME Header (MS01-020) vulnerabilty to send attachments that are
automatically executed when the message is opened. See the link
to Microsoft security advisory above.
Recipients' e-mail addresses are collected from the Windows
Address Book as well as from ICQ user databases. The worm uses
it's own SMTP routines so it can send e-mail without an e-mail
Important Note: The e-mails sent by Klez.E worm often have faked
sender's address. The worm randomly picks sender's address from
web pages, ICQ databases or Windows Address Books. This means
that if you get Klez.E worm in e-mail, it's quite likely that it
was NOT sent to you by the person listed in the 'From' field of
e-mail message (sender's address).
The worm can send itself in messages with one the following
how are you
let's be friends
don't drink too much
please try again
welcome to my hometown
the Garden of Eden
introduction on ADSL
japanese girl VS playboy
look,my beautiful girl friend
eager to see you
spice girls' vocal concert
japanese lass' sexy pictures
Also the worm sometimes sends messages pretending to be infection
removal tools from a few anti-virus companies. For example:
Subject: <virusname> removal tools
<virusname> is a dangerous virus that spread through email.
<av_company_name> give you the <virusname> removal tools
For more information,please visit http://www.<av_company_name>.com
The <av_company_name> can be 'Symantec', 'Mcafee', 'F-Secure' or
'Sophos'. The <virusname> can be 'W32.Elkern' or 'W32.Klez'. Do
not run attachments from such messages!
Also the worm can pretend to be a game, it can send itself
(usually as SETUP.EXE or INSTALL.EXE) with the a message:
This is a special humour game
This game is my first work.
You're the first player.
I expect you would like it.
Sometimes the virus compares current date against a preset list of 10 different holiday dates. If the date matches, the worm will send an e-mail with a subject field such as "Happy Christmas", "Have a nice Christmas" or "Have a good Christmas". There are several variations on the exact subject field.
This only happens on one day per year for each of the holidays - for Christmas, Klez only tries to send these messages on 25th of December. Explanation for getting these messages before Christmas is simply that lots of people have their computers date set wrong.
The holidays are:
New year (1st of January)
Epiphany (6th of January)
Candlemas (2nd of February)
Saint Valentine's Day (14th of February)
Lady Day (25th of March)
April Fools' Day (1st of April)
Assumption (15th of August)
Allhallowmas (31st of October)
All Souls'Day (2nd of November)
Christmas (25th of December)
Here are the screenshots of Klez.E worm as it arrives in e-mail:
12. The worm corrupts a lot of system files including DLL and VXD
ones that often makes a system unusable after restart. The
corruption happens because the worm tries to preserve the
time/date stamp of a file it tries to infect and it saves this
value into EXE file header without bothering to check if it's a
PE, NE or LE header. So NE and LE headers get corrupted and a
file usually becomes unusable after that.
Detection of Klez.E worm is available in the updates published on
17th of January 2002.
Disinfection of Klez.E worm can be performed with the special
tool that is available on our ftp site:
Please read the KLEZTOOL.TXT file included in the ZIP archive
before using the tool.
Removal help with Video
We have produced an online video showing step-by-step how to get
rid of the Klez worm.
View the video (Real) from here:
You can download RealPlayer from here:
For feedback on the video or further questions, contact
[Analysis: F-Secure Anti-Virus Research Team, November 2001 - January 2003]