Free Defense against the Internet Worm KLEZ

08 Feb 2002
Virus News

Kaspersky Lab has released a special utility. In connection with the numerous instances of infection caused by the latest modification of the Internet worm Klez (Klez.e), Kaspersky Lab has developed a free utility for detecting and deleting this malicious program. The utility can be downloaded at KL corporate site. We remind users that the first Klez version appeared this past October. Today, Kaspersky Lab knows of five Klez modifications, with the latest version, Klez.e, posing the most serious threat to computer safety. Klez.e sends itself via e-mail utilizing SMTP for sending messages. The subject of the e-mail is randomly chosen from the following variants:
Hi,
Hello,
Re:
Fw:
how are you
let's be friends
darling
don't drink too much
your password
honey
some questions
please try again
welcome to my hometown
the Garden of Eden
introduction on ADSL
meeting notice
questionnaire
congratulations
sos!
japanese girl VS playboy
look,my beautiful girl friend
eager to see you
spice girls' vocal concert
Japanese lass' sexy pictures
The body of an infected message is empty or contains a random text. The malicious program is launched automatically when an e-mail is viewed. In order to accomplish this, the worm uses a security breach in Internet Explorer safety features that was discovered nearly a year ago in March 2001. Following start-up, Klez.e installs itself into a Windows system file with a random name beginning with 'Wink,' for example, 'Winkad.exe.' The worm searches for links to EXE files in the following registry key: Software\Microsoft\Windows\CurrentVersion\App Paths, and attempts to infect any found applications. Klez.e also infects RAR archives by writing its copies here with a random name, and on the 6th of odd months (January, March etc.), it searches for all files on an infected computer and fills them with random contents. These files cannot be recovered and must be restored from a back-up copy. In addition to this the worm attempts to halt the operation of well-known anti-virus programs by forcibly closing their executable files within a computer's active processes. Defense procedures thwarting Klez.e have were added to the Kaspersky Anti-Virus database more than two weeks ago. A free utility for detecting and deleting Klez can be downloaded here. We also recommend temporarily not using the preview function in e-mail programs.