Virus Alert: Klez Worm

Windows W32.Klez worm (04/23/02)

Several variants of the "Klez" e-mail worm continue to circulate at Cornell. This worm affects Windows computers. The following description attempts to encompass several variants. For details on a particular variant, please see Symantec's virus information.

"Klez" can be difficult to recognize. Typically it comes via an e-mail message that has a random subject line and message body. The worm itself is in an attachment that also has a random name ending with the extension .bat, .exe, .pif or .scr. The "from" address may be familiar to you because of the way the worm replicates itself.

Do not launch the attached file. If launched, the "Klez" worm will attempt to disable antivirus software. It may copy itself to the computer's hard drive and spread via files shared over a network. It will search the computer for e-mail addresses and attempt to mail itself to those addresses. Those addresses may also be used randomly in the "from" field, presumably to make the worm-generated messages seem legitimate to the recipients. The worm may randomly choose a file to attach to the e-mail message, so confidential or personal information could be exposed. Finally, the worm may damage some files.

What you should do

If you use Internet Explorer 5.01 or 5.5 and have not installed Service Pack 2 from Microsoft, you should do so. Or consider upgrading to Internet Explorer 6. If you use Outlook Express, please read the Microsoft bulletin on how to block the "Klez" worm from being launched automatically.

Update your Norton AntiVirus definitions. Variants of "Klez" (up through the "H" variant) are detected by Norton AntiVirus software that has been updated to the 04/17/2002 virus definition file (or a newer file). You can get this file by running your Norton AntiVirus software and choosing Live Update. Or you can download it directly from the Symantec web site.

Scan attachments with Norton AntiVirus. It can be set up to do this automatically. Scanned or not, don't launch attachments if you were not expecting them. "Klez" can forge the "from" address when it e-mails itself, so you may get infected messages from people you know. Take the extra time to double-check with the sender if you're in doubt.

If you suspect your computer has been infected, use Symantec's Klez removal tool to remove the worm. If you need more assistance, please contact the HelpDesk.

Last modified: May 1, 2002