Klez.E spreads a version of the ElKern virus that infects Windows 98, Me, 2000 and XP systems.

(1/18/02; last updated 9/5/02)

A variation of an old worm is set to trigger its destructive payload on the sixth day of March, May, September, and November. Klez.E (w32.Klez.E@mm) is sometimes called the Twin Virus because the worm is used to spread an upgraded version of the ElKern virus (w32.elkern.b). This variation infects Windows 98, Me, 2000, and XP, attempting to corrupt files on these systems without changing their sizes. Although less widespread than its popular cousin, Klez.h, Klez.E could damage files on your computer, and ranks a 7 on the CNET Virus Meter.

How it works
Klez.E arrives by e-mail or can be spread by sharing infected files on a network. If it arrives by e-mail, the subject line is randomly chosen from the following list:

How are you
Let's be friends
Darling
Don't drink too much
Your password
Honey
Some questions
Please try again
Welcome to my hometown
the Garden of Eden
introduction on ADSL
Meeting notice
Questionnaire
Congratulations
Sos!
japanese girl VS playboy
Look,my beautiful girl friend
Eager to see you
Spice girls' vocal concert
Japanese lass' sexy pictures

The body text may be blank. The attached filename itself is random with either a PIF, SCR, EXE, or BAT extension.

Like several other recent worms, Klez.E also attempts to disable antivirus software installed on the infected computer. For more details regarding the original Klez worm, see this alert.

The big difference with Klez.E is that it drops an upgraded version of the ElKern virus into infected machines. ElKern.B (w32.elkern.b) now runs under Windows 98, Me, 2000, and XP. ElKern.B adds a hidden file, wqk.exe, to Registry entry HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WQK, which is in Windows 98 and Me. Under Windows 2000 and XP, it adds wqk.dll to Registry key HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Windows\AppInit_DLLs. These files are added so that ElKern.B runs anytime Windows is run. ElKern.B can corrupt files without changing the files' sizes.

Prevention
Klez.E uses a well-known vulnerability in Outlook Express that is included in versions of Internet Explorer 5.01 and 5.5. Microsoft has previously released a patch for this. Users who have not loaded the patch are encouraged to do so or to upgrade to Internet Explorer 6 using the full installation setting.

Removal
Most antivirus software companies have updated their signature files to include Klez.E. Updating these files will stop the infection upon contact and, in some cases, will remove an active infection from your system. For more information, see Central Command, F-Secure, Norman, Panda, Sophos, Symantec, and Trend Micro.

For more information on the associated virus, ElKern.B, see Sophos.

For additional information on this worm, see News.com