Beware of Klez - Newest e-mail virus

Detected only last week (April 17' 2002), Klez virus has taken notorious proportion in a very short span of time causing large scale destruction and mayhem in e-mail community. Symantec (Norton Anti-Virus) has been quick to upgrade the threat level from level 2 to level 3 within a week !

Like many of its predecessors, Klez virus comes as attachment in e-mail. However, unlike its predecessors, the e-mail disguises as a friendly tip or warning from someone YOU REGULARLY RECEIVE MAIL.

Not that apparent sender's computer is infected, but the virus is intelligent enough to pick up as sender such a mail address from infected computer's Inbox, Outbox, Address Book or ICQ that is unlikely to raise suspicion in receiver's mind.

We have received e-mails laced with Klez virus that seem to have originated from as varied and dependable sources as Worldbank, Yahoo, and even !

So, if you receive e-mail from infobanc with file attachment - DELETE IT IMMEDIATELY ! We never send e-mail with file attachment without prior permission from receiver.


Symantec ( has given detail information on how to detect e-mails containing Klez virus. The e-mail will have one or two file attachments and a Subject line like following:

  • Undeliverable mail--"[Random word]" 
  • Returned mail--"[Random word]" (e.g. Returned mail--"honey" )
  • a [Random word] [Random word] game (e.g. A special excite game)
  • a [Random word] [Random word] tool (e.g. A very useful tool
  • a [Random word] [Random word] website (e.g. A very funny website)
  • a [Random word] [Random word] patch (e.g. A IE 6.0 patch)
  • [Random word] removal tools
  • how are you
  • let's be friends
  • darling
  • so cool a flash,enjoy it
  • your password
  • honey
  • some questions
  • please try again
  • welcome to my hometown
  • the Garden of Eden
  • introduction on ADSL
  • meeting notice
  • questionnaire
  • congratulations
  • sos!
  • japanese girl VS playboy
  • look,my beautiful girl friend
  • eager to see you
  • spice girls' vocal concert
  • japanese lass' sexy pictures


According to Symantec, the virus can impart damages in following ways:


This worm infects executables by creating a hidden copy of the original host file and then overwriting the original file with itself. The hidden copy is encrypted, but contains no viral data. The name of the hidden file is the same as the original file, but with a random extension.

Large scale e-mailing:

This worm searches the Windows address book, the ICQ database, and local files for email addresses. The worm sends an email message to these addresses with itself as an attachment.

Releases confidential info:

Worm randomly chooses a file from the machine to send along with the worm to recipients. So files with the extensions: ".mp8" or ".txt" or ".htm" or ".html" or ".wab" or ".asp" or ".doc" or ".rtf" or ".xls" or ".jpg" or ".cpp" or ".pas" or ".mpg" or ".mpeg" or ".bak" or ".mp3" or ".pdf" would be attached to e-mail messages along with the viral attachment.


For all its stealth technology and intelligence, fortunately detection of Klez virus and removal is not difficult. First of all, if you delete the e-mail without opening the file attachment -you are safe. In case you or your staff accidentally opens the attachment and the computer gets infected, detection and removal is comparatively easy. The virus binds itself to a random file in Windows/System directory. Symantec has given step by step instruction on how to detect its presence from Windows Registry file. In case you find your system infected, follow the removal instructions in site.

Related Links:

Source: FAIDA - Newsletter on Business Opportunties from India and Abroad Vol: 3, Issue 4 April 25' 2002

Author : Dr. Amit K. Chatterjee
(Amit worked in blue-chip Indian and MNCs for 15 years in various capacities like Research and Information Analysis, Market Development, MIS, R&D Information Systems etc. before starting his e-commerce venture in 1997. The views expressed in this columns are of his own. He may be reached at )

� All Rights Reserved. Limited permission is granted to publish this article in a web-site or printed in a journal/ newspaper/ magazine provided the publisher takes prior permission from author, do not make any change in the article (i.e. keep it exactly same as displayed above) and cite the Source of this article as The Great Indian Bazaar with a link to this page.