NACS: Klez Virus Information

Network & Academic Computing Services
Klez Virus Information

Description | Removal Tool | Updates | Resources

Aliases: W32/Klez.C@mm, W32.Klez.gen@mm, KLEZ.C, I-Worm.Klez.C

Description:
The Klez virus is a mass-mailing email worm. The worm uses random subject lines, message bodies, and attachment file names. It also can generate random email addresses by taking the "from" address and the "to" address from files on the infected computer.

So messages that may appear to be sent from your account actually are being generated on the infected computer. If you suspect that your machine is infected, please use a virus scanner to make sure that your machine is cleaned. Otherwise delete the e-mail messages without opening the attachments.

The worm exploits a vulnerability in Microsoft Outlook and Outlook Express in an attempt to execute itself when you open or even preview the message in which it is contained. Information and a patch for the vulnerability are available at http://www.microsoft.com/technet/security/bulletin/MS01-020.asp.

The worm overwrites files and creates hidden copies of the originals. In addition, the worm drops the virus W32.Elkern.3587, which is similar to W32.ElKern.3326.

The worm attempts to disable some common antivirus products and has a payload which fills files with all zeroes.

This destructive, persistent, memory resident, multi-process, and multi-threaded worm spreads a copy of itself via email and Network shared drives. This worm consists of two components. The main worm and a Windows executable infector.

Similar to PE_NIMDA.A, this worm also utilizes the exploits for MS Outlook and Outlook Express, which allow the automatic execution of an attachment during preview.

On Windows NT/2K systems, this worm registers itself as a system service. On Windows 9X, it is hidden from the Task List. More information on this vulnerability is available at: Microsoft TechNet. A security update is available at: Microsoft's Web site.

Removal Tool

An easy to use removal tool for the Klez virus and its variants can be found on the University of Kansas' site at:
http://www.ku.edu/acs/virus/undoklez.exe.
Instructions and more information on this tool can be found at: http://www.ku.edu/acs/virus/viruses/klez.shtml.

April 18th update

Warning - a new fake Klez immunity tool

An e-mail message is masquerading as a Klez immunity tool.
This is not a Klez defense. Instead, it is an insidious Klez variant!
You may receive e-mail with the following message and text:

Subject: Worm Klez.E immunity

 Klez.E is the most common world-wide spreading worm.It's very 

 dangerous by corrupting your files.

 Because of its very smart stealth and anti-anti-virus

 technic,most common AV software can't detect or clean it.

 We developed this free immunity tool to defeat the malicious virus.

 You only need to run this tool once,and then Klez will never come

 into your PC.

 NOTE: Because this tool acts as a fake Klez to fool the real 

 worm,some AV monitor maybe cry when you run it.

 If so,Ignore the warning,and select 'continue'.

 If you have any question,please mail to me

If you receive a message with the above text, do NOT use the attachment!

May 6, 2002 Update

*DOUBLE TROUBLE
By Bruce Hughes

The W32.Klez.H@mm worm currently toping the lists of most widespread malware has a destructive new twist. Antivirus vendors have received samples of Klez transporting the more dangerous W95.CIH.1049 virus that can permanently damage computers. Mass-mailer Klez.H sends messages to all recipients that it finds on an infected users computer, leading to clogged mail servers and extensive cleanup time, though it carries no destructive payload.

However, reports suggest that some files infected with Klez are also transporting the more dangerous CIH virus. It infects 32-bit Windows 95/98/NT executables and carries two dangerous payloads. The first overwrites the hard disk with random data and the second corrupts the Flash BIOS leaving the computer useless. This version of CIH is a variant of the original and has a payload date of August 2. Currently the virus isn't thought to be "in the wild" and only Trend Micro reports actual infections--three, to be exact. Users should update their antivirus products; most antivirus products detect both Klez.H and the new version of CIH.

Resources

Wired: Description of how the virus works
http://www.wired.com/news/print/0,1294,52174,00.html

Microsoft
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp

Symantec
http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.e@mm.html

TrendMicro
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_KLEZ.C

Network Associates
http://vil.nai.com/vil/content/v_99367.htm

McAfee
http://vil.mcafee.com/dispVirus.asp?virus_k=99237

F-Secure
http://www.europe.f-secure.com/v-descs/klez.shtml

Sophos
http://www.sophos.com/virusinfo/analyses/w32klezg.html

Klez Information Site
This site offers a description of the Klez virus, and links to infection statistics and information about removing it from infected systems.
http://www.net-security.org/virus_news.php?id=13

Klez Still Spreading
Klez continues to spread and to generate traffic due to response and refusal mechanisms.
http://news.com.com/2100-1001-916945.html

Please call the NACS Response Center at (949) 824-2222 if you have any questions.

Network & Academic Computing Services > Campus Wide Support > Security > Virus Information

University of California, Irvine