Search Site Map Home Feedback OIT Services Admin Apps Data Warehouse Network Project NEThics Research Svcs Teach Tech Telecomm Training Viruses Web Services Browse FAQS Admin Sys Calendaring Comm Deans Docs E-mail Linux LPCR Macintosh PC StarOffice Umail Unix Virus WAM/GLUE WebCT

Virus Alert: Klez

Last reviewed on Wednesday, 06-Mar-2002 14:11:59 EST

Virus Alert:  W32.Klez (Updated 2/21/02)

This virus, which affects Windows machines, spreads via email and over network shares and has spread to a number of student computers on the university network.  The virus makes use of a known security flaw in Outlook Express and Outlook that allows the virus to activate automatically when the infected email message is read or previewed.  An infected machine will send out email messages with random subject lines and message text to any email addresses it finds on the infected system.  The virus will also attempt to destroy certain files on the system on either the 6th or 13th day of the month.
 

Further Details

There are a number of variants to the Klez virus. The version that is spreading through the university network seems to have the following characteristics:

• If the infected email is read or previewed using Outlook Express 5 or 5.x (or Outlook), and if Outlook Express or Outlook has not received the proper security patch, the virus will activate itself. If the email is viewed with another, non-Microsoft email client (such as Netscape), the virus will not activate but the message may appear to be blank.
• Once activated, the virus copies itself to the %System% directory (where %System% is either C:\Windows\System or C:\Winnt\System32, depending on your operating system) with a filename that begins with wink, followed by random characters. Example: winkzd or . This files tends to be set as a hidden file.
• It creates one or both of the following registry keys to ensure that it is activated whenever Windows starts:
  • HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run\Wink[random charcters] %System%\Wink[random characters].exe
  • HKEY_Local_Machine\System\CurrentControlSet\Services\Wink[random characters]
• It attempts to disable anti-virus programs that monitor system activity.
• It copies itself to local, mapped, and network drives as either a random file name with 2 file extensions (example: filename.mp3.exe) or a .RAR archive file (example: filename.txt.rar)
• It looks for email addresses in the Windows Address Book, the ICQ database (if you run ICQ) and random .html and text files on the hard drive, then sends mail to each of these addresses. In some cases, it actually uses one of those email addresses and put it in the From line of the email it sends out.
• On the 6th day of any month that is not January or July, it will overwrite files on the hard drive with the extensions .txt, .html, .doc, .mp3, .htm, .wab, .cpp, .c, .pas, .mpg, .mpeg, or .bak. If the month is January or July, it will try to overwrite all files on the hard drive.

Further details about this virus are available at:

http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.e@mm.html
http://www.data-fellows.com/v-descs/klez.shtml
 

Avoiding the Virus

Users of Outlook Express 5 and 5.5 are strongly encouraged to protect themselves by installing the security patch that will prevent this virus from activating itself automatically when they read or preview an infected message.  The patch is available at:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp

If you have unprotected shared folders on your computer, you should disable those shares to prevent the virus from copying itelf from an infected computer to your computer. James Madison University has a good web page on the dangers of file sharing and how to disable file sharing on Windows machines at http://www.jmu.edu/computing/info-security/engineering/issues/desk/msfileshar.shtml.
 

Removing the Virus

Click on the link below to visit the comprehensive list of steps for removing the Klez virus (you will need to have a WAM account in order to access this page):

http://www.helpdesk.umd.edu/virus/removeklez