Klez is one of the most destructive worms in history, having caused about $19.8 billion in damage. It is also notable for its ability to spoof email addresses in the sender line, as well as the ability to infect the receiver's computer from previewing or opening the message without downloading or executing the attachment. Klez spawned a significant number of variants, a few of which were more prevalent than the original.
Klez can arrive on a system through email or network shares. The worm uses fake email addresses for the "From" line (spoofing ability did not come until later variants), which may be one of the following:
A Klez email may have one of twelve possible subject lines:
- How are you?
- Can you help me?
- We want peace
- Where will you go?
- Don't cry
- Look at the pretty
- Some advice on your shortcoming
- Free XXX Pictures
- A free hot porn site
- Why don't you reply to me?
- How about have dinner with me together?
- Never kiss a stranger
The body contains the message:
I am sorry to do so,but it's helpless to say sorry I want a good job,I must support my parents. Now you have seen my technical capabilities. How much my year-salary now? NO more than $5,500. What do you think of this fact? Don't call my names,I have no hostility. Can you help me?
Many email clients will be unable to view the message, and it is thought that it is intended for antivirus companies.
The attachment is a random string of characters with a .exe extention that is 57,345 bytes long. A Klez email contains an incorrect MIME header, which means it may be able to run itself if the user is running an unpatched version of Outlook or Outlook Express.
When Klez is executed, it must decrypt the information about email senders, subject lines and the email body. It copies itself to the system folder as Krnl132.exe. It adds the value krnl32 = System folder\krnl32.exe to the local machine registry key that ensures the worm will run upon starting the machine.
Klez may deactivate on-access virus scanners. It will search active processes and give the "TerminateProcesses" command to processes with the following names:
It drops the Elkern.A virus, which infects all PE .exe files on all available drives and network shares.
It looks for local, mapped, and network drives and copies itself to them with a double extension. The double extension is one random for the first (it can choose from .txt .htm .doc .jpg .bmp .xls .cpp .html .mpg and .mpeg) and .exe for the last extension (a typical Klez on one of these drives may look something like Xfile.doc.exe or Yprogam.txt.exe).
Klez then searches through the Windows Address book and collects email addresses. The worm has its own SMTP engine. It sends itself to all of these addresses as an attachment with a random file name.
On the 13th day of every other month (January, March, May...) the worm will cause some files to become 0 bytes in length.
The original Klez was not particularly notable, but some of the Klez variants, particularly Klez.E and H became very prominent and destructive.
This variant may arrive as a .pif file as well as an .exe. In the system folder, it uses the file name WinSvc.exe. It also creates a local machine registry key under the one that causes programs to run on startup named WinSvc. This worm will attempt to delete some processes used by Nimda, CodeRed and their variants. The worm executable contains the text string 'I will try my best to kill some virus', which is never displayed, except when viewing it in a hex editor. In addition to looking for email addresses in the Address Book, Klez.D will look for them in ICQ database files.
Klez.E also spreads over network shares in mostly the same way as the original variant, although this version may also use a randomly named .rar archive file in addition to an .exe.
When it arrives in an email, the "From:" line it is not likely to be the actual address that the worm was sent from, as Klez.E spoofs the sender line of emails it arrives in. It chooses a random email address found on the infecting computer.
When this worm is executed it will use the same registry key and folders as the original, but uses the word Wink followed by random characters for its file name as well as its registry values. Or it may create a new Local Machine registry key, \System\CurrentControlSet\Services\Wink[random characters].
In addition to killing antivirus processes, this version of Klez will also attempt to kill the processes of the CodeRed and Nimda. It removes the registry keys that some antvirus programs use to start themselves when the machine is started. It also deletes the following antivirus checksum database files:
This variant drops the Elkern.B virus. It also has a destructive payload that destroys the following kinds of files with random junk on March 6:
Klez.H arrives in an email with two attachments, one is an executable, which is the worm, and the other is a random file, usually some kind of document, or media file. The From: line is not likely to be the the actual email address of the sender, as like Klez.E, this variant uses spoofing to hide its real origin. There are 29 possible main subject lines, some with places for random words from a list to be placed, making the total number of possible subject lines much higher:
- Worm Klez.E immunity
- how are you
- let's be friends
- so cool a flash,enjoy it
- your password
- some questions
- please try again
- welcome to my hometown
- the Garden of Eden
- introduction on ADSL
- meeting notice
- japanese girl VS playboy
- look,my beautiful girl friend
- eager to see you
- spice girls' vocal concert
- japanese lass' sexy pictures
- a [Random] [Random] game
- a [Random] [Random] tool
- a [Random] [Random] website
- a [Random] [Random] patch
- Undeliverable mail--"[Random]"
- Returned mail--"[Random]"
- [Random] removal tools
The possible random words are:
- IE 6.0
The body of the message is random.
The worm itself contains the following text, which is never displayed:
Win32 Klez V2.01 & Win32 Foroux V1.0 Copyright 2002,made in Asia About Klez V2.01: 1,Main mission is to release the new baby PE virus,Win32 Foroux 2,No significant change.No bug fixed.No any payload. About Win32 Foroux (plz keep the name,thanx) 1,Full compatible Win32 PE virus on Win9X/2K/NT/XP' 2,With very interesting feature.Check it! 3,No any payload.No any optimization' 4,Not bug free,because of a hurry work.No more than three weeks from having such idea to accomplishing coding and testing'
Along with all of the other extensions, this worm can also use .pdf as a part of its double extension. It is exactly similar to the E variant with regard to its file name, registry modifications and n network drive copying as well as its killing of rival worms and antivirus processes. The worm drops the Elkern.C virus. Not only does it search the Address Book and the ICQ database for email addresses, but also the following types of files:
When mailing itself, Klez.H will select a random file to attach along with itself, in a was similar to that of Sircam. It will select any of the type of file it harvested email addresses from, with the exception of the last four.
Klez.H is one of the worst worms ever, according to figures from managed services firm MessageLabs, which has blocked 775,000 copies of the pathogen since it first appeared on April 15.
At Klez's height, a Jewish Folk Music mailing list began receiving an unusually high number of off-topic e-mails. Some time later, the maintainer began receiving complaints from people all over the world saying "you gave us the Klez", which he believed was some kind of protest against a certain type of music. Klezmer is a type of Jewish folk music that is sometimes referred to as Klez.
A variant of the CIH virus was found to have attached itself to Klez.H, and many, but not all computers with a Klez.H infection also had a CIH infection. Whether or not this was intentional is uncertain. Some experts believe it is likely that Klez.H infected a computer that had already been infected with CIH. After being infected, all subsequent generations of that copy of the worm would carry CIH with them and trigger the virus when they themselves were triggered.
Kaspersky Lab. Viruslist.com, Email-Worm.Win32.Klez.a
F-Secure Anti-Virus Research Team. F-Secure Virus Descriptions Klez 2001.11-2002.01
Alexey Podrezov. -, Klez.H 2002.04.22-17
-. -, Elkern 2001.10-2002.01.17]
Atli Gudmundsson. Symantec.com, W32.Klez.A@mm
-, Eric Chien. -, W32.Klez.E@mm
Neal Hindocha. -, W32.Klez.H@mm
John Leyden. The Register, "Klez Storms Monthly Virus Charts". 2002.04.30
Sharon Gaudin, internetnews.com "Virus Damage Worst on Record for August" 2003.09.02
David Becker. CNET News, "Chernobyl virus rides Klez's coattails". 2002.05.06
Mary Landesman. About Antivirus, Klez.E Doing Time.