Warning: Klez.E worm activates the 6th

[Paul Wilders]

the Klez.E email worm will activate destructively tomorrow, on 6th of month. Klez.E is among the ten most common viruses wordwide.

Klez.E was originally found in January 2002. It has been getting steadily more common over the last weeks and by now it has become one of the most common viruses in USA, Europe and Asia.

Klez.E activates on every 6th of the month, but the activations in January and February 2002 were causing relatively small damage. Situation is now more serious.

Klez.E is a very complex virus. It sends itself via e-mail using a wide variety of different messages, including messages which look like virus warnings. Sometimes Klez fakes the e-mail sender, making it look like an
innocent bystander has been spreading the virus. Klez.E also fights against various anti-virus products, trying to delete them.

In addition, the e-mail attachments sent by Klez can execute automatically on some systems, causing infection by just reading or viewing an infected e-mail message.

"Klez.E activation routine is destructive", comments Mikko Hypponen, Manager of Anti-Virus Research at F-Secure. "It overwrites data files such as Word DOC files, Excel XLS files, MP3 music files, website HTML contents
and ASCII text files. Even worse, it does this not only on the infected machine but also in the local network. One infected PC with write access can overwrite data companywide".

The Klez virus family is apparently written by a single virus writer somewhere in Asia, as they contain texts such as "made in Asia", "Well paid jobs are wanted", "I want a good job, I must support my parents", and "I want a salary of $5500 a month".

some screen shots:

http://www.f-secure.com/virus-info/v-pics/klez_e1.jpg

http://www.f-secure.com/virus-info/v-pics/klez_e2.jpg

Thus: take care!

regards.

paul

[wizard]

Kaspersky has a free removal tool for this virus.

ftp://ftp.kaspersky.com/utils/clrav.zip

wizard