W32.Klez.A@mm


Aliases: Email-Worm.Win32.Klez.a, I-Worm.Klez.a, W32/Klez.gen@MM, Win32.HLLM.Klez.57344, W32/Klez-A
Variants: W32.Klez, W32.Klez.E@mm, W32.Klez.H@mm

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: North America
Removal: Hard
Platform: W32
Discovered: 09 Nov 2001
Damage: Medium

Characteristics: W32.Klez.A@mm is a mass-mailing worm. It searches the Windows address book for email addresses. The worm sends messages to all the recipients that it finds. It has its own SMTP engine and uses it to send messages. Variants of this worm use a technique called spoofing to randomly select addresses.

More details about W32.Klez.A@mm

The worm W32.Klez.A@mm spreads through the Internet. The worm is attached to email messages. It is a Windows PE EXE file. The virus infects most of Win32 PE EXE files on all available computer disks. It has a size of 57-65Kb and is written in Microsoft Visual C++. The subject and attachment name of the emails are randomly chosen. The attachment uses any of the extensions: .bat, .exe, .pif, or .scr. When the message is viewed, the worm uses an Internet Explorer security breach (IFRAME vulnerability) to run automatically. It uses its own SMTP protocol to send email messages to addresses it finds. It finds email addresses in a WAB database. Before the worm sends infected messages, it writes the list of email addresses it finds in its EXE file.

The messages and addresses stored in the worm’s body are encrypted. Every 13th of even months, the worm executes a payload routine. It fills all files on all available disks on a victims computer with random content. These files cannot be recovered. However, you can restore them from a backup copy. It is difficult to remove the worm or any of its variants from an infected computer. If your computer detects the worm or any of its variants, you must download a reliable antivirus or antispyware software program. There are antivirus programs designed to eliminate threats coming from these worms.