Klez Worm Virus Information and Removal Help

What is Klez Worm and How Did I Get It?
Klez was the most widespread virus in 2002, and continued its dominance of the virus world for 2 years. Its a mass-mailing worm that exploits a vulnerability that opens an executable attachment even in Microsoft Outlook's preview pane. More information about this vulnerability is available at Microsoft Security Bulletin and a security update is available at Microsoft's Security Update.

Klez employs a number of random actions that make it hard for many computer users to identify the virus when it arrives in their inboxes. The virus arrives in e-mails with varying subject lines, or sometimes appears to be a bounced e-mail or a tool that can purge Klez from an infected system. It spoofs the From line in the email, deceiving the recipient as to who sent them the virus.

Recipients of the virus-laden e-mails, not understanding that the "From" information is virtually always phony -- or even that they have received a virus -- have been clogging networks with angry and confused e-mails that are causing a great deal of cyber-havoc.

People signing up for newsletters and mailing lists that they never subscribed to has been a major source of frustration for both users and the list owners.  If Klez happens to send an e-mail "from" a user to an e-mail list's automatic subscribe address, the list software assumes the e-mail is a valid subscription request and begins sending mail to the user.

It obtains the email addresses that it places in the FROM: field from the infected user's address book. This causes a non-infected user to appear as the person who has sent this worm's malicious email. It does this to hide the real sender of the infected email. The actual email address of the sender is found in the Envelope From field.

The subject of the email it sends is composed in a complex manner.

  1. The subject may contain any of the following substrings:
    • how are you
    • let's be friends
    • darling
    • so cool a flash,enjoy it
    • Your password
    • honey
    • some questions
    • please try again
    • welcome to my hometown
    • the Garden of Eden
    • introduction on ADSL
    • meeting notice
    • questionnaire
    • congratulations
    • sos!
    • japanese girl VS playboy
    • look,my beautiful girl friend
    • eager to see you
    • spice girls' vocal concert
    • japanese lass' sexy pictures
    • Undelivarable mail-“%s”
    • Returned mail-“%s”

    %s is a random string.

  2. The subject may also be any of the following:
    • a %s %s game
    • a %s %s tool
    • a %s %s Web site
    • a %s %s patch
    • %s removal tools

    %s can be any of the following:

    • new
    • funny
    • nice
    • humour
    • excite
    • powful
    • WinXP
    • IE 6.0
    • W32.Elkern
    • W32.Klez.E
    • Symantec
    • Mcafee
    • F-Secure
    • Sophos
    • Trendmicro
    • Kaspersky

It gathers email addresses from the entries of the default Windows Address Book (WAB). The path and filename of these are identified in the following registry entry:

WAB\WAB4\Wab File Name = “<file and pathname of the WAB file>

The worm also gathers a list of addresses from the following files that are stored on the infected user’s computer:

  • EXE
  • SCR
  • PIF
  • BAT
  • TXT
  • HTM
  • HTML
  • WAB
  • DOC
  • RTF
  • XLS
  • JPG
  • CPP
  • C
  • PAS
  • MPG
  • MPEG
  • BAK
  • MP3
  • PDF

This worm also infects EXE files. To infect, it encrypts (compresses) the target file and then modifies the file extension with a random name. It also modifies the attributes of the file and sets these to Read-only, Hidden, System, and Archive. Thereafter, this worm copies itself to the original filename of the infected file.

This worm makes sure that its filesize is the same as that of the infected file. To do this, it pads garbage at the end of the infected file.

Similar to WORM_KLEZ.A, this new worm has several threads that accomplish its propagation and payload mechanisms. Its main features are as follows.

  • Dropping of PE_ELKERN.D
    The worm drops a randomly named file in the ProgramFilesDir (usually C:\Program Files). Approximately 10KB in size, this program can infect files in network shared folders and disable system file protection. It can also infect EXPLORER.EXE in memory. This program is detected as PE_ELKERN.D. Oftentimes, it deletes itself after running.
    • Network Infection
      This worm is capable of spreading via shared drives/folders with read/write access. To accomplish this, it enumerates all the shared resources of the network. For shared folders with read/write access, it copies itself to files with randomly generated filenames. The dropped files have the following extensions:
      • .EXE
      • .PIF
      • COM
      • BAT
      • SCR
      • RAR

      Occasionally, this worm copies itself to a random filename double extensions. The first extension name can be any of the following:

      • EXE
      • SCR
      • PIF
      • BAT
      • TXT
      • HTM
      • HTML
      • WAB
      • DOC
      • RTF
      • XLS
      • JPG
      • CPP
      • C
      • PAS
      • MPG
      • MPEG
      • BAK
      • MP3
      • PDF

      The second extension can be any of the extension names first listed.

      It then constructs the HTML mail, which contains the base64 encoded worm copy. It randomly generates the filename of the attachment.

      It obtains its SMTP server from the registry as follows:

      Internet Account Manager\Accounts\, SMTP Server

      It then sends out to the SMTP server commands to create and send an email. The actual subject and body of the email may be randomly composed.

      It does not require the email receiver to open the attachment for it to execute. It uses a known vulnerability in Internet Explorer-based email clients to execute the file attachment automatically. This is also known as Automatic Execution of Embedded MIME type.

      The infected email contains the executable attachment registered as content-type of audio/x-wav or sometimes audio/x-midi so that when recipients view the infected email, the default application associated with audio files is opened. This is usually the Windows Media Player. The embedded EXE file cannot be viewed in Microsoft Outlook.

      More information about this vulnerability is available at Microsoft’s Security Bulletin.

    • Antivirus Retaliation Procedure
      The worm disables the running processes, and occasionally deletes the executable files of programs associated with the following names of antivirus products:
      • _AVP32
      • _AVPCC
      • NOD32
      • NPSSVC
      • NRESQ32
      • NSCHED32
      • NSCHEDNT
      • NSPLUGIN
      • NAV
      • NAVAPSVC
      • NAVAPW32
      • NAVLU32
      • NAVRUNR
      • NAVW32
      • _AVPM
      • ALERTSVC
      • AMON
      • AVP32
      • AVPCC
      • AVPM
      • N32SCANW
      • NAVWNT
      • ANTIVIR
      • AVPUPD
      • AVGCTRL
      • AVWIN95
      • SCAN32
      • VSHWIN32
      • F-STOPW
      • F-PROT95
      • ACKWIN32
      • VETTRAY
      • VET95
      • SWEEP95
      • PCCWIN98
      • IOMON98
      • AVPTC
      • AVE32
      • AVCONSOL
      • FP-WIN
      • DVP95
      • F-AGNT95
      • CLAW95
      • NVC95
      • *SCAN* (any character can be in place of *)
      • *VIRUS* (* is any character)
      • LOCKDOWN2000
      • Norton
      • Mcafee
      • Antivir
      • TASKMGR

      The worm also scans for the above strings, and deletes them if found as values in the following registry key:


      Finally, the worm searches for and then deletes the following files:

      • ANTI-VIR.DAT
      • CHKLIST.MS
      • IVB.NTZ
      • AVGQT.DAT
      • AGUARD.DAT

How to Clean/Delete the Klez Worm?

The Klez worm should be cleaned from your system by using a virus removal tool offered by Symantec. Click below to read about and download the Klez virus removal tool.


Because the Klez virus often disables or corrupts antivirus software running on the infected computer. You should reinstall your antivirus software after cleaning the Klez virus from your system.


space.gif (58 bytes)


Search PCHell.com
site search by freefind advanced


Tools for Removing Spyware, Adware, and Malware

Other Pages

Spyware/Adware Removal Help

MSBlast.exe Worm Removal

Welchia (Dllhost.exe and SVCHost.exe) Worm Removal

Uninstall McAfee Instructions

Uninstall Norton Instructions

Uninstall Avast Instructions

Uninstall AVG Instructions

Uninstall Antivir Instructions

Uninstall Panda Instructions

How to Manually Run the Microsoft Malicious Software Removal Tool

Bloodhound.Exploit.6 Virus Removal

MyDoom Virus Removal

MiMail.C Virus Removal

Swen Worm Virus Removal

SoBig.F Worm Removal

Dumaru Virus Removal

BugBear.B Worm Removal

SoBig.E Worm Removal

Pop Up Ad Removal Info

KAK Worm Removal

MiMail.A Worm Removal

W95.MTX Virus Removal

Snow White Virus Removal

BadTrans Trojan Removal

Wininit Virus (Bymer Trojan)

Happy99 Worm Removal

VBS Netlog Worm Removal

Pretty Park Worm Removal

Sasser Worm Virus Removal

Backdoor SDBot.H Trojan Removal

VBS.Loveletter Help

Computer Security Information

Back Orifice Information

PC HELL Main Page


iPadastic - News, Tutorials, Help, Tips, and Hints for the iPad

Download Hoyle Games
including Casino 3D, Card, Board, and Solitaire games.

Written by Mark Hasting

Recommended Software for PC Hell Visitors
Malwarebytes Anti-Malware
Malwarebytes Anti-Malware
iolo System Mechanic® - Fix, Speed Up Your PC
iolo System Mechanic®
Emsisoft Anti Malware
Emsisoft Anti Malware
space.gif (58 bytes)


Return to PC Hell
Return to PC Hell