1. /
  2. Security Response/
  3. W32.Klez.E@mm

W32.Klez.E@mm

Risk Level 2: Low

Discovered:
January 17, 2002
Updated:
February 13, 2007 11:53:18 AM
Also Known As:
W32/Klez.e@MM [McAfee], WORM_KLEZ.E [Trend], Klez.E [F-Secure], W32/Klez-E [Sophos], Win32.Klez.E [CA], I-Worm.Klez.E [AVP]
Type:
Worm, Virus
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
CVE References:
CVE-2001-0154


Due to a decreased rate of submissions, Symantec Security Response has downgraded the threat level for W32.Klez.E@mm from Category 3 to Category 2 as of July 23, 2002.

W32.Klez.E@mm is similar to W32.Klez.A@mm. It is a mass-mailing email worm that also attempts to copy itself to network shares. The worm uses random subject lines, message bodies, and attachment file names.

The worm exploits a vulnerability in Microsoft Outlook and Outlook Express in an attempt to execute itself when you open or even preview the message in which it is contained. Information and a patch for the vulnerability are available at http://www.microsoft.com/technet/security/bulletin/MS01-020.asp.

The worm overwrites files and creates hidden copies of the originals. In addition, the worm drops the virus W32.Elkern.3587, which is similar to W32.ElKern.3326.

The worm attempts to disable some common antivirus products and has a payload which fills files with all zeroes.

Removal tool
Symantec has provided a tool to remove infections of all known variants of W32.Klez and W32.ElKern. Click here to obtain the tool.
This is the easiest way to remove these threats and should be tried first.


Note on W32.Klez.gen@mm detections:
W32.Klez.gen@mm is a generic detection that detects variants of W32.Klez. Computers that are infected with W32.Klez.gen@mm have most likely been exposed to either W32.Klez.E@mm or W32.Klez.H@mm. If your computer is detected as infected with W32.Klez.gen@mm, download and run the tool. In most cases, the tool will be able to remove the infection.





It has been reported that W32.Klez.E@mm may arrive in the following email message promoting a Symantec removal tool. Symantec never sends unsolicited email; the attachment should be deleted.

Subject: W32.Elkern removal tools

Message:
Symantec give you the W32.Elkern removal  tools. W32.Elkern is a dangerous virus that can infect on Win98/Me/2000/XP.

For more information,please visit http:/ /www.Symantec.com 

Attachment: Install.exe

NOTE: Variations of this message have also been seen purporting to be removal tools for W32.Klez.

For information about how Klez affects a Macintosh computer, read the document Are Macintoshes affected by the Klez virus?

Antivirus Protection Dates

  • Initial Rapid Release version January 17, 2002
  • Latest Rapid Release version June 24, 2014 revision 006
  • Initial Daily Certified version January 17, 2002
  • Latest Daily Certified version September 7, 2012 revision 020
  • Initial Weekly Certified release date January 23, 2002
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

  • Wild Level: Medium
  • Number of Infections: More than 1000
  • Number of Sites: More than 10
  • Geographical Distribution: Medium
  • Threat Containment: Moderate
  • Removal: Moderate

Damage

  • Damage Level: Medium

Distribution

  • Distribution Level: High
Writeup By: Atli Gudmundsson

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver