When W32.Klez.A@mm is executed, it does the following:
It copies itself to
%System% is a variable. The worm locates the \Windows\System folder (by default this is C:\Windows\System or C:\Winnt\System32) and copies itself to that location.
It adds the value
to the registry key
so that it is executed when you start Windows.
The worm attempts to disable on-access virus scanners and searches local, mapped, and network drives. The worm copies itself using a random file name with a variable double extension, such as Filename.txt.exe.
In addition, the worm searches the Windows address book, which is used by Microsoft Outlook, for email addresses. The worm sends an email message to these addresses with itself as an attachment.
The email message has the following characteristics:
The subject of the email varies. It will usually be one of the following:
How are you?
Can you help me?
We want peace
Where will you go?
Look at the pretty
Some advice on your shortcoming
Free XXX Pictures
A free hot porn site
Why don't you reply to me?
How about have dinner with me together?
Never kiss a stranger
The attachment has a random file name with the .exe extension.
I'm sorry to do so,but it's helpless to say sorry.
I want a good job,I must support my parents.
Now you have seen my technical capabilities.
How much my year-salary now? NO more than $5,500.
What do you think of this fact?
Don't call my names,I have no hostility.
Can you help me?
This message may not be visible (this depends on the ability of the email client to display HTML email messages). If the message is received by Microsoft Outlook or Outlook Express, the attachment may be automatically executed. Information about this vulnerability and a patch are available at
Every other month starting in January (January, March, May, and so on), if the date is the 13th of the month, the payload is executed. This causes files on local and mapped drives to become zero bytes in length.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":