Klez (W32.Klez.gen@mm) mass mailing worm

klez-worm (8937)

High Risk

Description:

Klez is a class of worms that collects email addresses from an infected computer's Windows address book and propagates using its own SMTP server. As of April 26, 2002, there are nine variants of the Klez worm that all exploit the "Microsoft Internet Explorer Incorrect MIME header" vulnerability, which causes an email attachment to be automatically executed when an HTML email is previewed by a Microsoft Outlook or Outlook Express user. The worm can arrive as an email attachment with one of the following file extensions: asp, bak, c, cpp, doc, htm, html, jpg, mp3, mpg, mpeg, pas, rtf, wab, or xls.

Klez can carry either no viral payload, or one of four variants of the Elkern file infecting virus. The Elkern virus is destructive and is designed to destroy all accessible drives on certain dates as well as disable antivirus software upon infection. The Klez family of worms and the Elkern family of viruses both create registry keys in order to execute again if the host computer is rebooted.

Note: For more information on the "Microsoft Internet Explorer Incorrect MIME header" vulnerability, refer to Microsoft Security Bulletin MS01-20. See References.

Platforms Affected:

• Microsoft, Internet Explorer
• Microsoft, Outlook
• Microsoft, Outlook Express
• Microsoft, Windows 2000
• Microsoft, Windows 2003 Server
• Microsoft, Windows 95
• Microsoft, Windows 98
• Microsoft, Windows 98SE
• Microsoft, Windows Me
• Microsoft, Windows NT 4.0
• Microsoft, Windows XP

Remedy:

Microsoft Internet Explorer, Outlook, and Outlook Express users should ensure that the latest patches have been applied to their software. The latest patches and security updates can be obtained from Microsoft by visiting the Microsoft Windows Update site. See References.

In addition, users should ensure that their antivirus software is up-to-date or obtain a removal tool from their antivirus vendor if infected.

Consequences:

Gain Access

References:

• F-Secure Web site, F-Secure Computer Virus Information Pages: Klez at http://www.f-secure.com/v-descs/klez.shtml.
• Internet Security Systems Security Alert #115, Outbreak of Klez Family Hybrid Threats at http://www.iss.net/xforce/alerts/id/advise115.
• McAfee Virus Information Library, W32/Klez.gen@MM at http://vil.nai.com/vil/content/v_99237.htm.
• Microsoft Corporation Web site, Microsoft Windows Update at http://windowsupdate.microsoft.com.
• Microsoft Security Bulletin MS01-020, Incorrect MIME Header Can Cause IE to Execute E-mail Attachment at http://www.microsoft.com/technet/security/bulletin/ms01-020.mspx.
• Symantec Web site, SARC Reference - W32.Klez Removal Tool at http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.removal.tool.html.
• Symantec Web site, Symantec Security Response - W32.Klez.gen@mm at http://www.sarc.com/avcenter/venc/data/w32.klez.gen@mm.html.
• VIRUSLIST.COM Virus Encyclopedia, I-Worm.Klez.a-h (Klez Family) at http://www.viruslist.com/eng/viruslist.html?id=4292.

Reported:

Oct 26, 2001

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page