Klez-H Virus

Virus name:   Klez-H   (also known as W32/Klez-H).

Status:   Real.

Origins:   W32/Klez-H is a variant of Klez, a Win32 worm that carries a compressed version of the W32.ElKern.4926 virus which it copies to the Windows Program Files directory and executes. It then copies itself to the Windows system directory using a random filename beginning with the string "wink."

Klez-H then replicates itself by searching e-mail address books on the infected PC and mailing itself out to recipients found there, putting one of the addresses from the address book or an address from its own internal list in the "From:" field as the return address. The subject of the message is constructed using the following pattern:

1. May be prefaced with "Hi,", "Hello," "Re:", "Fw:", or nothing at all.
2. Begins with "A very", "A special", "Happy" or "Have a."
3. Followed by "New", "funny", "nice", "humour", "excite", "good", "powful", "WinXP", "IE 6.0" (or nothing).
4. Ends with "game," "tool," "website," "patch," or "Allhallowmas," "Christmas," or "Epiphany

For example, a Klez-H subject line might be "Happy New Epiphany" or "Fw: A special powful tool" or "Have a good Allhallowmas"

Klez exploits a bug in Microsoft's Internet Explorer (version 5) to infect a user's system.

See the links below for more information on how to detect and remove Klez.

Additional Information:

	W32.Klez.H@mm (Symantec Security Response)
	W32/Klez.h@MM (McAfee Virus Information Library)
	How to Save Your PC from Virus Attacks (CNN.com)

Last updated:   28 January 2008