Klez Virus

Virus name:   Klez   (also known as W32/Klez.gen@MM or W32.Klez.E).

Status:   Real.

Origins:   The Klez virus arrives as an attachment to e-mails bearing spoofed return addresses and subject lines selected randomly from a large pool of choices. The subject line might be any of the following:

• congratulations


• darling


• eager to see you


• the Garden of Eden


• honey


• how are you


• introduction on ADSL


• japanese girl VS playboy


• japanese lass' sexy pictures


• let's be friends


• look,my beautiful girl friend


• meeting notice


• please try again


• questionnaire


• so cool a flash,enjoy it


• some questions


• sos!


• spice girls' vocal concert


• welcome to my hometown


• Worm Klez.E immunity


• your password


• Returned mail—"[random phrase]"


• Undeliverable mail—"[random phrase]"


• a [random phrase] game


• a [random phrase] patch


• a [random phrase] tool


• a [random phrase] website


• [random phrase] removal tools

Where [random phrase] is one or two words selected from the following list (e.g., "W32.Elkern removal tools," "a special powful tool"):

• excite


• funny


• good


• humour


• new


• nice


• powful
• F-Secure


• IE 6.0


• Kaspersky


• Mcafee


• Sophos


• Symantec


• Trendmicro


• W32.Elkern


• W32.Klez.E


• WinXP

Klez exploits a bug in Microsoft's Internet Explorer (version 5) to infect a user's system, and once installed it sends out e-mail messages to addresses found in local files, Microsoft Outlook address books, and ICQ address books. It will also overwrite any txt, .htm, .html, .wab, .doc, .xls, .jpg, .cpp, .c, .pas, .mpg, .mpeg, .bak, or .mp3 file on the 6th of every odd numbered month (January, March, May, July, September, and November).

See the links below for more information on how to detect and remove Klez.

Additional Information:

	W32.Klez.H@mm (Symantec Security Response)
	W32/Klez.e@MM (McAfee Virus Information Library)
	How to Save Your PC from Virus Attacks (CNN.com)