Win32:Klez-E
is an Internet worm that also contains a compressed copy of the Win32:Elkern virus, which is dropped and executed when the worm is run.This worm searches for email address entries in the Windows address book but uses its own mailing routine.
The infected email has the following characteristics:
Subject line: could be either random or chosen from the following
list:
How are you
Let's be friends
Darling
Don't drink too much
Your password
Honey
Some questions
Please try again
Welcome to my hometown
the Garden of Eden
introduction on ADSL
Meeting notice
Questionnaire
Congratulations
Sos!
japanese girl VS playboy
Look,my beautiful girl friend
Eager to see you
Spice girls' vocal concert
Japanese lass' sexy pictures
Body: text could
be composed randomly or even empty.
Attached file: Random name with the extension .PIF, .SCR, .EXE
or .BAT.
The sender address which appears in a message is chosen from a list inside the worm, so the real sender is not the one written in the message.
The worm attempts to use the well known MIME security hole in the MS-Outlook, MS-Outlook Express, and Internet Explorer to run the attachment automatically.
The worm copies itself to the Windows System directory under a random filename. Then it adds the registry key in the section HKLM\Software\Microsoft\Windows\CurrentVersion\Run to let execute itself on Windows startup. The worm may is also able to spread to remote shared disks on the network using random filenames. It also tries to disable several anti-virus products and delete some anti-virus related files.
On the 6th of March, May, September and November the worm will overwrite files on all drives which have one of the following extensions: .TXT, .HTM, .HTML, .WAB, .DOC, .XLS, .JPG, .C, .PAS, .MPG, .MPEG, .BAK and MP3. On the 6th January and July the worm will overwrite all files on all drives.
Removal:
To remove this virus please use our free avast! Virus Cleaner.
Any avast! with VPS file dated on or after 18th January 2002 is able to detect this worm.
