Email-Worm.Win32.Klez

Detect Date 02/07/2002
Class Email-Worm
Platform Win32
Description

The Klez.h variant of the Klez worm family is very similar to Klez.e. The differences are:

  1. This variant has no payload and doesn’t destroy files.
  2. It brings with it additional variants of infected Messages, Subjects and Bodies.

Example of a Klez.h email message Subject and Body content:

Worm Klez.E immunity



Klez.E is the most common world-wide spreading worm.



It's very dangerous by corrupting your files.



Because of its very smart stealth and anti-anti-virus technic,



most common AV software can't detect or clean it.



We developed this free immunity tool to defeat the malicious virus.



You only need to run this tool once,and then Klez will never come into your PC.



NOTE: Because this tool acts as a fake Klez to fool the real worm,



some AV monitor maybe cry when you run it.



If so,Ignore the warning,and select 'continue'.



If you have any question,please mail to me.

This worm looks for files with the following extensions:

.txt .htm .html .wab .asp .doc .rtf .xls .jpg .cpp .c .pas .mpg .mpeg .bak .mp3 .pdf

Depending on several conditions Klez.h attaches a file with one of the above listed extensions to infected emails (as the second attached file). As a result, confidential or personal information may be sent out and made public.

Another example of Klez.h email message content:

Win32 Klez V2.01 & Win32 Foroux V1.0



Copyright 2002,made in Asia



About Klez V2.01:



1,Main mission is to release the new baby PE virus,Win32 Foroux



2,No significant change.No bug fixed.No any payload.



About Win32 Foroux (plz keep the name,thanx)



1,Full compatible Win32 PE virus on Win9X/2K/NT/XP



2,With very interesting feature.Check it!



3,No any payload.No any optimization



4,Not bug free,because of a hurry work.No more than three weeks from



having such idea to accomplishing coding and testing

How do I delete the Klez virus?

1) disconnect the infected PC from the local network (if exists)

2) run clrav.com file

If the program says “nothing to clean” – run it from the command line with the paramrter /scanfiles, for example:

C:clrav.com /scanfiles

3) re-boot your PC in Safe Mode

4) run clrav.com again

5) reinstall the anti-virus package and update the anti-virus database

6) run Kaspersky AV Scanner and check all the hard drives