Klez / ElKern Worm

** Virus Alert: KLEZ / ELKERN **

This information from the Symantec Antivirus Resource Center:

This worm infects executables by creating a hidden copy of the original host file and then overwriting the original file with itself. The hidden copy is encrypted, but contains no viral data. The name of the hidden file is the same as the original file, but with a random extension. To fix either of these viruses or to search for the virus on your computer, please download the Symantec-provided fix here. (Right click on the link and save the file to your hard drive. The file is zipped, as some people were trying to run the file over the Internet. If you do not have WinZip on your PC, you can download it from www.winzip.com. After you have unzipped the file, open your My Computer on your desktop, find the file where you saved it on your hard drive and double click it to run.)

This worm searches the Windows address book, the ICQ database, and local files for email addresses. The worm sends an email message to these addresses with itself as an attachment.

The worm attempts to disable on-access virus scanners and some previously distributed worms (such as W32.Nimda and CodeRed) by stopping any active processes. The worm removes the startup registry keys used by antivirus products and deletes checksum database files including:

Anti-Vir.dat
Chklist.dat
Chklist.ms
Chklist.cps
Chklist.tav
Ivb.ntz
Smartchk.ms
Smartchk.cps
Avgqt.dat
Aguard.dat

Local and Network Drive copying:
The worm copies itself to local, mapped, and network drives as:

A random file name that has a double extension. For example, Filename.txt.exe.
A .rar archive that has a double extension. For example, Filename.txt.rar.

Email:
This worm searches the Windows address book, the ICQ database, and local files for email addresses. The worm sends an email message to these addresses with itself as an attachment. The worm contains its own SMTP engine and attempts to guess at available SMTP servers.

The subject line, message bodies, and attachment file names are random. The From address is randomly-chosen from email addresses that the worm finds on the infected computer.

The worm will search files that have the following extensions for email addresses:

mp8
.exe
.scr
.pif
.bat
.txt
.htm
.html
.wab
.asp
.doc
.rtf
.xls
.jpg
.cpp
.pas
.mpg
.mpeg
.bak
.mp3
.pdf

In addition to the worm attachment, the worm also may attach a random file from the computer. The file will have one of the following extensions:

mp8
.txt
.htm
.html
.wab
.asp
.doc
.rtf
.xls
.jpg
.cpp
.pas
.mpg
.mpeg
.bak
.mp3
.pdf

As a result, the email message would have 2 attachments, the first being the worm and the second being the randomly-selected file.

The email message that this worms sends is composed of "random" strings. The subject can be one of the following:

Undeliverable mail--"[Random word]"
Returned mail--"[Random word]"
a [Random word] [Random word] game
a [Random word] [Random word] tool
a [Random word] [Random word] website
a [Random word] [Random word] patch
[Random word] removal tools
how are you
let's be friends
darling
so cool a flash,enjoy it
your password
honey
some questions
please try again
welcome to my hometown
the Garden of Eden
introduction on ADSL
meeting notice
questionnaire
congratulations
sos!
japanese girl VS playboy
look,my beautiful girl friend
eager to see you
spice girls' vocal concert
japanese lass' sexy pictures

The random word will be one of the following:

new
funny
nice
humour
excite
good
powful
WinXP
IE 6.0
W32.Elkern
W32.Klez.E
Symantec
Mcafee
F-Secure
Sophos
Trendmicro
Kaspersky

The body of the email message is random.

If the message is opened in an unpatched version of Microsoft Outlook or Outlook Express, the attachment may be automatically executed. Information about this vulnerability and a patch are available at

Should you receive an e-mail that contains this subject header, message, or the attached file, DO NOT OPEN THE ATTACHMENT - PLEASE DELETE IT IMMEDIATELY.