We have produced a video showing step-by-step how to get rid of the Klez worm: http://www.f-secure.com/virus-info/video/klez.ram
Note: The video requires RealPlayer to view. You may download RealPlayer from: http://www.real.com/player/index.html?lang=en
Find the latest advice in our Community Knowledge Base.
See the manual for your F-Secure product on the Help Center.
Submit a file or URL for further analysis.
On some systems the worm is able to self-launch itself when an infected email is viewed (for example, with Outlook and IE 5.0 or 5.01). To do this the worm uses a known vulnerability in IE that allows execution of an email attachment. This vulnerability is fixed and a patch for it is available on Microsoft site: http://www.microsoft.com/windows/ie/downloads/critical/q323759ie/default.asp
This worm/virus combo apparently originated from Asia, possibly China or Hong Kong. First infections were located early on the morning of 26th of October, 2001.
The emails sent by Klez can have a wide variety of different subject fields such as:
The message has no text in body and the attachment name is random.
The worm part contains a hidden message targeted towards anti-virus researchers. Most email clients will not show this message. It looks like this:
The Klez worm copies itself to root directories of local and network drives with a random name and with double extension, such as .TXT.EXE.
Klez.D appeared in the wild on 11th of November, 2001. This variant has a few changes compared to the previous versions. First of all it looks for email addresses in the user's ICQ database files also. This means that anyone in the user's ICQ contact list is a potential recipient of the worm.
Another change in the email part is that the attachments can now have .EXE and .PIF extension also. It was only .EXE with the previous versions. When the worm is copied to the Windows system directory it's nownamed as 'WinSvc.exe'. The same name is used in the registry run key:
This version of the worm will try to locate and terminate processes that contain the words like 'Nimda', 'CodeRed', 'Code Red', 'CodeBlue', 'Code Blue'.
It also has a string inside that is never displayed:
F-Secure Anti-Virus detects and stops both Klez and Elkern. Detection was added with the update shipped on 26th of October around 15 o'clock GMT. The update with detection for D variant was published on 12th of November 09:00GMT.
Klez.E is a new variant of Klez worm that was first discovered on 17th of January 2002. The worm is "version 2.0" according to its author's classification and has several new features comparing to the older variants. The worm still has bugs that remained from previous versions.
The differences from the original version are as follows: