Worm Klez is a computer worm that infects Microsoft Windows computer systems via email. Worm Klez, also called “Klez,” and “Klez Worm,” made its first appearance in 2001. It was able to infect Microsoft Windows systems through a Internet Explorer security breach or “IFRAME vulnerability,” that allows it to start automatically when an infected message is opened. It spreads to and in local networks and in email messages.

The Worm Klez itself is written in Microsoft Visual C++ and it is a Windows PE EXE file averaging 57-65Kb, depending on length and version. In addition to spreading to and in local networks and in email messages, Worm Klez can also create a Windows EXE file with just about any name starting with the letter “K.” It writes the Win32.Klez” virus in it in a temporary folder, then launches the virus. Once an infected file is started, the Worm Klez copies itself to a Windosw system folder with the krn132.exe name. Once this happens, the worm then writes the following key to the registry to start automatically whenever Windows starts:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
“Krn132” = “%System%\Krn132.exe”

“%System%” is the name of the Windows system folder. This rapid moving worm searches for anti-viruses and forces them to disable using a “Windows TerminateProcess” command. Klez Worm uses SMTP protocol. SMTP or “Simple Mail Transfer Protocol” is an Internet standard for email transmission across Internet Protocol or “IP” networks. It searches for email addresses in a Windows Address Book (WAB) database and sends any number of infected messages to these email addresses.

Fortunately, you can identify these messages fairly easy, as the subjects are selected randomly from the following list. Most of the subjects are not surprising, to say the least.

A free hot porn site
Can you help me?
Congratulations!!!
Don’t cry
Free XXX Pictures
Hello
How about have dinner with me together?
How are you?
Look at the pretty
Never kiss a stranger
Some advice on your shortcoming
We want peace
Where will you go?
Why don’t you reply to me?

If for some reason you decide/decided to click on the message anyway, the following would appear in message body:

Can you help me?
Don’t call my names,I have no hostility.
How much my year-salary now? NO more than $5,500.
I want a good job,I must support my parents.
I’m sorry to do so,but it’s helpless to say sory.
Now you have seen my technical capabilities.
What do you think of this fact?

Later versions of Worm Klez have the ability to copy an email address from an infected machines Outlook Express or Outlook address book and use it as a “From” address. Experts agree that this makes it nearly impossible for an average user to figure out which system is infected and impossible for professionals to extract more than the system/computer’s Internet Service Provider (ISP).

According to Viruslist.com, “On the 13th of even months, the worm executes a payload routine, which fills all files on all available victim s’computer disks with random content. These files can’t be recovered and must be restored from a backup copy. There are several modifications of Klez: I-Worm.Klez.a-d are similar, and have minor differences. Klez.e-h are similar too, and have minor differences as well.”

How to Protect Your Computer System Against Worms and Viruses

With the right virus protection, worms and viruses actually can be stopped or at the very least, repelled.

To get rid of worms and viruses there are several free anti-worm virus downloads available on the web. It is important to note that, before downloading any type of free worm remover software, it is extremely important to make sure that the software originated from a trusted source. If you are running Windows, stick with Microsoft software downloads. Microsoft offers its “Windows Malicious Software Removal Tool” free of charge for its Windows operating system. The great thing about this free Trojan and worm removal tool is that it updates once each month and reports if malicious software is found.

Other anti-worm virus downloads include: Norton AntiVirus and McAfee Antivirus. These software programs are not free. It is important to note that while the Microsoft Software Removal Tool helps remove infections, it does not prevent them. If you want added security, it’s best to install Norton or McAfee as well.

From Microsoft:

The Microsoft Windows Malicious Software Removal Tool checks Windows XP, Windows 2000, and Windows Server 2003 computers for and helps remove infections by specific, prevalent malicious software including Blaster Worm, Sasser, and Mydoom. When the detection and removal process is complete, the tool displays a report describing the outcome, including which, if any, malicious software was detected and removed. The tool creates a log file named mrt.log in the %WINDIR%\debug folder. Version 1.30 adds Win32/Allaple to the list of malicious software this tool detects.

You can download directly from the Microsoft website or Cnet.com.

• 
•