Information about the 'Klez-H' virus.

Virus name:   Klez-H   (also known as W32/Klez-H).

Status:   Real.

Origins:   W32/Klez-H is a variant of Klez, a Win32 worm that carries a compressed version of the W32.ElKern.4926 virus which it copies to the Windows Program Files directory and executes. It then copies itself to the Windows system directory using a random filename beginning with the string "wink."

Klez-H then replicates itself by searching e-mail address books on the infected PC and mailing itself out to recipients found there, putting one of the addresses from the address book or an address from its own internal list in the "From:" field as the return address. The subject of the message is constructed using the following pattern:
  1. May be prefaced with "Hi,", "Hello," "Re:", "Fw:", or nothing at all.
  2. Begins with "A very", "A special", "Happy" or "Have a."
  3. Followed by "New", "funny", "nice", "humour", "excite", "good", "powful", "WinXP", "IE 6.0" (or nothing).
  4. Ends with "game," "tool," "website," "patch," or "Allhallowmas," "Christmas," or "Epiphany
For example, a Klez-H subject line might be "Happy New Epiphany" or "Fw: A special powful tool" or "Have a good Allhallowmas"

Klez exploits a bug in Microsoft's Internet Explorer (version 5) to infect a user's system.

See the links below for more information on how to detect and remove Klez.

Additional Information:
    W32.Klez.H@mm W32.Klez.H@mm
(Symantec Security Response)
    W32/Klez.h@MM W32/Klez.h@MM
(McAfee Virus Information Library)
    How to save your PC from virus attacks How to Save Your PC from Virus Attacks
Last updated:   28 January 2008


David Mikkelson founded snopes.com in 1994, and under his guidance the company has pioneered a number of revolutionary technologies, including the iPhone, the light bulb, beer pong, and a vaccine for a disease that has not yet been discovered. He is currently seeking political asylum in the Duchy of Grand Fenwick.