Related Resources • Klez Help Center • Email Help Center • Virus Encyclopedia • Glossary of terms

Elsewhere on the Web • F-Secure Description • Symantec Description

The Kez.H worm, first discovered in April 17, 2002, may soon gain the distinction of being one of the most long-term prevalent threats. In February 2003, a full 10 months after its intial release into the wild, Klez.H still topped the 'most prevalent viruses' charts of antivirus vendors and messaging service providers. What makes the Klez.H so successful?

Some speculate the fault lies with those who don't update their antivirus software frequently enough. Graham Cluley, senior technology consultant at Sophos Anti-Virus, noted in a Sophos press release that, "Protection against Klez has been available for as long as the worm has been (in) circulation. The only possible explanation for its continued 'success' is that some users are habitually neglecting to update their anti-virus software."

But is there another possible explanation?

Theoretically, if a user had updated their antivirus software definition files even once since April 17, 2002, they would be protected against the Klez.H worm. Isn't it reasonable to expect that even the most negligent among us would have applied at least one update in a year's time? And while there is certainly always going to be a minority of users who do fall into the no-protection category, could this small number of users account for the continued plague of Klez.H? Further, wouldn't that same segment be equally susceptible to other email worms and viruses and thus wouldn't the level of Klez.H infections be comparable to those others? The answers to these questions indicate that something else, other than users' negligence, might be responsible for the continued prevalence of Klez.H. And that 'something else' just might be the scanners themselves.

Is your protection protecting?

While Klez.H does not include a typical payload, it does have the nasty side-effect of disabling antivirus and security software on the system. Many, if not most, of the antivirus products have no built-in mechanism to thwart such an attempt. Considering that many users undoubtedly rely on automatic updating to protect them, a large segment of users may be oblivious to the fact that no updates have occurred or, if updates have occurred, that realtime protection is disabled and thus unable to alert on the infection. Klez.H also copies itself to network drives, meaning that even if an infection is detected and cleaned on one machine, it may quickly become reinfected once re-connected to the network.

Compounding matters, a Klez.H infection is not considered easy to remove. Indeed, antivirus vendor Symantec rates the removal as difficult. To assist in proper removal and to overcome the problem of antivirus software that has been incapacitated by the worm, many vendors have created free tools designed to effectively remove Klez from the system. Chief among these is the McAfee AVERT Stinger, notable for it's ease of use and capabilities with a handful of other equally stubborn infectors, in addition to Klez.H.

To summarize, user negligence may not be the root of the continued Klez.H epidemic. However, users can play a substantial role in curtailing the rate of infection. First, make sure your antivirus software is working properly. An EICAR Test File can be easily created for this purpose. Second, make sure your update mechanism is working properly. Try running it manually to ensure it is functioning. Downloading and running a tool such as the McAfee AVERT Stinger will quickly identify and remove Klez.H. Make sure you've followed the steps outlined in the Email Help Center to prevent viruses like Klez from automatically executing email attachments. Also, pay a visit to the Windows Update Center to ensure your Windows operating system is patched against known vulnerabilities. Finally, consider using a product such as MailDefense which will prevent email worms from entering or leaving your system - even if you're already infected.