The Klez virus

Viruses

Some viruses

Tools

Removal tools

More information

Introduction to the Klez virus

Appearing early in 2002, the Klez virus is still everywhere on networks, and the danger it poses is even higher due to the new variations that keep cropping up (like Klez.e, Klez.g, Klez.h, Klez.i, Klez.k, etc.). The new versions of the virus include increasingly clever self-distribution mechanisms, allowing them to spread even easier. The KLEZ virus (code name W32.Klez.Worm@mm) is a worm which spreads by email. It also has 4 other ways to spread:

The web
Shared folders
Microsoft IIS security holes
File transfer

At particular risk are users of Microsoft Outlook in Windows 95, 98, Millenium, NT4, 2000 and XP, as well as Microsoft Internet Explorer users.

What the virus does

The Klez worm retrieves the list of addresses found in the address book of Microsoft Outlook or Eudora, as well as instant message clients (ICQ).

Next, the Klez virus sends all recipients an e-mail, using its own SMTP server.

Using this process, the Klez virus generates emails with an empty body and a subject chosen at random from a list of about a hundred preset choices. It attaches to the email an executable file which contains a variant of the virus. The viruses use an .eml extension to exploit a security flaw in Microsoft Internet Explorer 5.

The Klez virus is distinguished by its ability to send emails which look like they came from a sender whose address was found on the victim's machine (shown in the from field in the email sent).

More recent versions of the virus even carry tools for thwarting the most common anti-virus programs.

Worse, its own authors have programmed a false corrective measure for the virus, sent to the victims in an email entitled Worm Klez.E immunity. The email also sends false error messages showing that the message could not be delivered, which contain yet another copy of the virus as an attached file!

What's more, in Microsoft Windows the Klez virus can spread over shared network folders, infecting executable files found there.

Viewing Web pages on servers infected by the Klez virus may lead to infection when a user views pages with the vulnerable Microsoft Internet Explorer 5 browser.

The Nimda virus is also capable of taking control of a Microsoft IIS (Internet Information Server) Web server, by exploiting certain security holes.

Finally, like its cousins, the virus infects executable files found on the infected machine, meaning that it can also spread by file transfers.

The Klez virus is programmed to delete randomly chosen files on the 6th of the month during odd-numbered months. To top it all off, on January 6 and July 6, the virus will erase all files on the hard drive!

Symptoms of infection

The Klez virus uses as many resources as it can on the infected machines. If your computer is reacting slowly and strangely, the first thing to do is to scan all your hand drives with your antivirus software, with the understanding that the virus may have altered the antivirus program to avoid being detected.

Eradicating the virus

To eradicate the Klez virus, the best method involves first disconnecting the infected machine from the network, then using up-to-date antivirus software or the Symantec virus removal tool (preferrably restarting the computer in safe mode):
Download the virus removal tool

What's more, the virus can spread using a security hole in Microsoft Internet Explorer, which means that you may catch the virus by visiting an infected site. To fix it, you must download the patch for Microsoft Internet Explorer 5.01 and 5.5. Please check the version of your browser, and download the patch if need be:
http://www.microsoft.com/windows/ie/download/critical/Q290108/default.asp

As the virus falsifies the sender's email address (in the from field), it is recommended that you not respond to the email's sender. Instead, check the Return-Path field of the message and reply to whichever address is listed there.

More information about the virus

Last update on Thursday October 16, 2008 02:43:16 PM.

Previous BadTrans

Next LovSan - Blaster

Results for The Klez virus

Viruses - Introduction to viruses A virus is a small computer program found within the body of another program which, when run, loads itself into the memory and carries out the instructions programmed by its author. The definition of a virus may be: � Any computer program which can... en.kioskea.net/virus/virus.php3

Viruses - Blaster / LovSan Appearing in the summer of 2003, LovSan (also known as W32/Lovsan.worm, W32/Lovsan.worm.b, W32.Blaster.Worm, W32/Blaster-B, WORM_MSBLAST.A, MSBLASTER, Win32.Poza, Win32.Posa.Worm, and Win32.Poza.B) is the first virus to exploit the security hole in... en.kioskea.net/virus/lovsan-blaster.php3

Viruses - Worms A worm is a self-reproducing program which can travel over networks using networking mechanisms, without requiring any software or hardware support (such as a hard drive, a host program, a file, etc.) to spread; a worm is therefore a network virus. ... en.kioskea.net/virus/worms.php3

More answers

Results for The Klez virus

The First Steps to Virus/Spyware/Adware RemovalThe First Steps to Virus/Spyware/Adware Removal Step 1: Delete Temporary Files How to delete Temporary Files? How to delete Temporary Internet Files? Step 2: Get a good all in one Antivirus/Anti Spyware/ Anti Adware... en.kioskea.net/faq/sujet-205-the-first-steps-to-virus-spyware-adware-removal

MSN/ Windows Live Messenger virusesMSN/ Windows Live Messenger viruses How do I know if this is a virus and not a file sent by one of my contacts? What do I do if I accepted the file? To remove ‘IM-Names’ and PIC1234(1)(1)(1)(1)(1).exe virus Even MSN/WLM program... en.kioskea.net/faq/sujet-151-msn-windows-live-messenger-viruses

A Jpeg file can contain a virus?A Jpeg file can contain a virus? Truth: Links: ==Myth:== A Jpeg file can contain a viru Truth: A JPEG is a file can get infected. However, in order to activate the virus, the file must be run. As the JPEG file is an image file, it... en.kioskea.net/faq/sujet-384-a-jpeg-file-can-contain-a-virus

More answers

Results for The Klez virus

Wich anti-virus (Solved)Hello, iam suffering please help me i want a good Anti virus en.kioskea.net/forum/affich-3841-wich-anti-virus

Best Anti Virus/ Firewall (Solved)Hello guys! I was wondering what you all thought was the best anti virus and firewall? What I mean is what has the best protection and uses the least amount of resources? Thanks in advance.... en.kioskea.net/forum/affich-1104-best-anti-virus-firewall

Unable to install Anti-virus and awtqo.dll foHi, I need help in my computer which I am unable to complete the installation of Anti-virus. Everytime I on the computer, SpyGuard will pop up and said detected 'awtqo.dll'. If I choose remove BHO, it will still pop-up again. I've... en.kioskea.net/forum/affich-1025-unable-to-install-anti-virus-and-awtqo-dll-fo

More answers

Results for The Klez virus

Download AVG Anti-Virus FreeAVG Antivirus free is an free antivirus : Easy to use, low system resource Automatic update functionality Real-time protection as files are opened and programs are run Full e-mail protection AVG’s Virus Vault for the safe handling of... en.kioskea.net/telecharger/telecharger-64-avg-anti-virus-free

Download Clean Virus MSNViruses meet hereafter a bit on the net by all thinkable means everywhere. After mails , supporting they attack instantaneous freight forwarding. Clean Virus MSN is a tool which discerns automatically the viruses which circulate on MSN Messenger.... en.kioskea.net/telecharger/telecharger-992-clean-virus-msn

Download Clean Virus MSNThe viruses meet henceforth a little everywhere on the Net by all the conceivable means. After the emails virus diseases, now they attack with the instant messaging. Clean Virus MSN is a tool which automatically detects the viruses which circulate on... en.kioskea.net/telecharger/telecharger-1438-clean-virus-msn

More answers

Results for The Klez virus

Phone viruses to spread as telecom, computer worlds merge, say expertsTwo people talk on their mobile phones in Hong Kong. Viruses and hacking on mobile phones are still rare but attacks are a looming danger as increasing numbers of people access the Internet and download files with their handsets, experts say. Viruses... en.kioskea.net/actualites/phone-viruses-to-spread-as-telecom-computer-worlds-merge-say-experts-10118-actualite.php3

Mobile phone viruses are rare, but concern high: surveyTwo people talk on their mobile phones in Hong Kong, 2002. A survey showed that viruses on mobile phones are still rare but nearly three-quarters of mobile phone users in developed countries are worried about security on their handsets. Viruses on... en.kioskea.net/actualites/mobile-phone-viruses-are-rare-but-concern-high-survey-10105-actualite.php3

Pro-Tibet groups bombarded with abusive calls, virusesTibetan demonstrators protest in front of the EU headquarter in Brussels on March 18. Pro-Tibet activists said Wednesday they have been bombarded with abusive phone calls and virus emails as they try to contact witnesses in Tibet and nearby amid a... en.kioskea.net/actualites/pro-tibet-groups-bombarded-with-abusive-calls-viruses-10215-actualite.php3

More answers

Results for The Klez virus

Viruses - Removal tools A virus removal tool is a small executable file for cleaning a machine which has been infected by a particular virus. Each removal tool is therefore uniquely capable of eradicating a particular kind of virus, or a particular version of a virus. The... en.kioskea.net/virus/desinfection.php3

Viruses - Sasser Appearing in May 2004, the Sasser virus (also known as the W32/Sasser.worm, W32.Sasser.Worm, Worm.Win32.Sasser.a, Worm.Win32.Sasser.b or Win32.Sasser) is a virus which exploits a security hole in the LSASS (Local Security Authority Subsystem Service,... en.kioskea.net/virus/sasser.php3

Viruses - Nimda Le Nimda virus (code name W32/Nimda) is a worm which spreads by email. It also has four other ways to spread: The web Shared folders Microsoft IIS security holes File transfer At particular risk are users of Microsoft Outlook in Windows 95, 98,... en.kioskea.net/virus/nimda.php3

More answers