Related Resources • Virus Encyclopedia • Glossary of terms

The Klez.H worm was reported rapidly spreading in parts of Asia on April 17, 2002. Antivirus developer Panda Software reports that the new worm travels in an email containing one of the following subjects:

A new website
Introduction on ADSL
Fwd:virus,Japanese lass' sexy pictures
A very new game
NOSHADE CLASS

The body of the message reads as follows:

This is a new website.I wish you would like it

or, alternatively, as

This game is my first work.
You're the first player.
I hope you would enjoy it.

However, according to antivirus developer F-Secure, an even more insidious message may be sent:

Subject:

Worm Klez.E immunity

Body:

Klez.E is the most common world-wide spreading worm.It's very
dangerous by corrupting your files.
Because of its very smart stealth and anti-anti-virus
technic,most common AV software can't detect or clean it.
We developed this free immunity tool to defeat the malicious
virus.
You only need to run this tool once,and then Klez will never
come into your PC.
NOTE: Because this tool acts as a fake Klez to fool the real
worm,some AV monitor maybe cry when you run it.
If so,Ignore the warning,and select 'continue'.
If you have any question,please mail to me.

Though the 'mail to me' is represented as a link to the sender's e-mail address, F-Secure warns that this address is not always the real sender's address. The spoofing of the sender's name/address is not unique to Klez.H, this same behavior is present in Klez.E as well.

The attachment will have either a BAT, EXE, PIF, or SCR extension. However, Klez.H takes advantage of a well-known weakness in the default settings for Windows, which allows double extension filenames to appear as a benign file type. Visit the Executable File Attachments center for instructions on changing these default settings to ensure you are not vulnerable to this bit of social engineering.

Klez.H also takes advantage of a vulnerability in unpatched versions Microsoft's Internet Explorer 5.01 or 5.5 which can allow attachments to be automatically executed simply by reading - or in some cases, previewing, the email message. Outlook and Outlook Express, and any mail other client that relies upon Internet Explorer to render HTML email messages are vulnerable to this exploit. The vulnerability is an old one, first patched in March 2001. To ensure your system is fully patched, visit the Windows Update site, check for Product Updates, and install any marked Critical. Checking for and installing security patches should be considered routine maintenance and should be accomplished at least monthly.