Win32/Klez.E

Short description

Win32/Klez.E is the second version of a mass mailing worm that appeared in late 2001. It became quite widespread in early 2002. W32/Klez.E may arrive in many forms (for example an fake IE 6.0 patch or a fake DataFellow utility). An exhaustive description of the worm and the trojan it drops (elkern) can be found on the F-Secure Web site. Some particularities of the worm include the ability to send mail appearing to be from addresses other than the real sender. (see this Wired article for examples) the ability to exploit the automatic Outlook execution bug the ability to terminate and deactivate many anti-viruses and a few viruses.

In practice

All known variants of Win32/Klez are detected and disinfected by F-Secure Anti-Virus provided it is properly updated. A special free utility to clean Klez is available here (at the time of writing, this utility doesn't cover Klez yet)

As all worm that attempts to execute automatically through the outlook/iexplorer vulnerability, Klez's virulence can be mitigated by applying the proper MS security patch.

DataRescue 45 quai de la Dérivation 4020 Liège (Belgium) tel 32-4-3446510 fax 32-4-3446514 Please send us your questions or comments.