[tomkat]

W32.Klez.gen@mm

Discovered on: November 9, 2001

Last Updated on: April 26, 2002 at 04:26:45 PM PDT

Due to an increased number of submissions, this threat has been upgraded to Category 4.

W32.Klez.gen@mm is a generic detection that detects variants of W32.Klez. Computers that are infected with W32.Klez.gen@mm are most likely infected with either W32.Klez.E@mm or W32.Klez.H@mm. Please refer to the appropriate write-ups for more information.

Removal tool
Symantec has provided a tool to remove infections of W32.Klez.E@mm, W32.Klez.H@mm, W32.ElKern.3587, and W32.ElKern.4926. If your computer is detected as infected with W32.Klez.gen@mm, download and run the tool. In most case, the tool will be able to remove the infection. Click here to obtain the tool.

This is the easiest way to remove these threats and should be tried first.

Type: Virus, Worm
Infection Length: Varies

• Virus Definitions (Intelligent Updater)*

November 9, 2001

• Virus Definitions (LiveUpdate™)**

November 9, 2001

*	Intelligent Updater virus definitions are released daily, but require manual download and installation. Click here to download manually.
**	LiveUpdate virus definitions are usually released every Wednesday. Click here for instructions on using LiveUpdate.

Wild:

• Number of infections: More than 1000
• Number of sites: More than 10
• Geographical distribution: Medium
• Threat containment: Moderate
• Removal: Difficult

Threat Metrics
Wild: Medium			Damage: Medium			Distribution: High

Damage:

• Payload: Infects the system with the W32.ElKern.3326 virus.
  • Large scale e-mailing: Emails to addresses found in the address book.

Distribution:

• Subject of email: Random subject
• Name of attachment: Random attachment with .BAT, .EXE, .PIF or .SCR extension
• Size of attachment: approximately 60KB
• Shared drives: Infects shared and mapped drives

W32.Klez.gen@mm is a mass-mailing worm that searches the Windows address book for email addresses and sends messages to all recipients that it finds. The worm uses its own SMTP engine to send the messages.

The subject and attachment name of incoming emails is randomly chosen. The attachment will have one of the following extensions: .bat, .exe, .pif or .scr.

The worm exploits a vulnerability in Microsoft Outlook and Outlook Express in an attempt to execute itself when you open or even preview the message. Information and a patch for the vulnerability can be found at

http://www.microsoft.com/technet/security/bulletin/MS01-020.asp.

W32.Klez.gen@mm attempts to copy itself to all network shared drives that it finds.

Depending on which variant of the worm, the worm will drop one of the following viruses:

• W32.Elkern.3326
• W32.Elkern.3587
• W32.Elkern.4926

which will then infect the system.

[gratefulwharffratt]

Palestinians question martyrdom cult after boys' suicide prank

Gee, they GLORIFY homicide bombers to the point of nearly deifying them, and then they wonder why impressionable kids would want to act like them.

F*@%ing Idiots.

[ValerieUSA]

Thanks tom --- I installed the patch. A little late though. I just started outlook and I think I got a couple more of those e-mails --- plus a password notice from hotmail (so the subject line says). I don't have a hotmail acct.

[Letitring]

Thanks TomKat Kitty. I've been having horrible computer troubles again. Maybe this is why it's acting up. I'll go see.:)

[sweetliberty]

Thanks for sharing the virus information. I thankfully nuked my Outlook address book after being hit twice with the W32Magistr virus last fall. It had a devastating effect on my computer. Now I seldom use Outlook at all and keep no addresses stored there.