Microsoft KB Archive/316658

= The w32.klez.e@mm &quot;Klez&quot; virus in Outlook 2000 =

Article ID: 316658

Article Last Modified on 1/31/2007

-

APPLIES TO


 * Microsoft Outlook Express 5.5 Service Pack 1
 * Microsoft Outlook Express 5.5 Service Pack 2
 * Microsoft Outlook Express 5.01 Service Pack 1
 * Microsoft Outlook Express 5.01 Service Pack 2
 * Microsoft Outlook Express 5.0
 * Microsoft Outlook Express 4.01 Service Pack 1
 * Microsoft Outlook Express 4.01 Service Pack 2
 * Microsoft Outlook Express 5.5 Service Pack 1
 * Microsoft Outlook Express 5.5 Service Pack 2
 * Microsoft Outlook Express 5.01 Service Pack 2
 * Microsoft Outlook 2000 Standard Edition
 * Microsoft Outlook 2000 Service Pack 1
 * Microsoft Outlook 98 Standard Edition
 * Microsoft Outlook Express 6.0
 * Microsoft Outlook Express 6.0

-



This article was previously published under Q316658



This article discusses the w32.klez.e@mm worm that may affect the operation of your computer. The information in this article is provided as-is without warranty of any kind. Microsoft does not provide software to stop virus infections or to cure infected computers. You may want to contact an antivirus software manufacturer for more information about how to remove a virus from your computer and about how to prevent future infections. If your computer has been infected, it may be open to additional forms of attack. Microsoft recommends that you rebuild infected Internet-facing servers (servers that function without a firewall or other protection) by following the guidelines that are published on the CERT Web site. Microsoft also recommends that you rebuild any other computers that are at risk because of their proximity to infected computers before you place them back in service.



SUMMARY
The w32.klez.e@mm virus, also known as the &quot;Klez&quot; virus, is a mass mailing e-mail worm that copies itself to network shares and distributes itself to all of the Address Book entries on the affected computer's Outlook Address Book.



MORE INFORMATION
The Klez virus uses the vulnerability that is mentioned in the Microsoft Security bulletin, MS01-020, to automatically start in the preview pane of Microsoft Outlook without a user opening the e-mail message. The Klez virus also drops another virus as its payload.

The Klez virus deletes program files, generates a mass mailing by using the Outlook Address Book as the address source, and drops an additional virus payload.

Other Products That Are Affected
Non-Microsoft Web-based e-mail programs are affected.

Technical Details
The e-mail message that carries the Klez virus arrives with a standard Subject line that the virus chooses randomly from a list that it maintains, but sometimes the virus uses a completely random subject. The text that the virus inserts in the e-mail message is also random. The virus chooses the attachment type randomly from the following file types:
 * .pif
 * .scr
 * .exe
 * .bat

The Klez virus attempts to delete certain files that are associated with antivirus programs, copy itself to network shares, and then mass mail itself to all of the entries in the Outlook Address Book. Klez makes use of a product vulnerability that is fixed by Microsoft Security bulletin MS01-027 to automatically open the in the preview pane.

The Klez virus also drops an additional virus payload that is known as &quot;El-Kern-B,&quot; which is believed to be a variant of &quot;El-Kern-A.&quot; This virus infects computers over a local area network (LAN) or other network, and then overwrites the contents of files on the infected computer, possibly triggered on a certain date or by a restart.

Prevention
If you are using Outlook 2000 Service Release (SR-1) or earlier, install the Outlook E-mail Security Update to prevent this virus, and the majority of other viruses that are borne by e-mail messages, from running. Outlook 2000 Service Pack 2 (SP2) and Microsoft Outlook 2002 automatically contain the functionality that is contained in the Outlook E-mail Security Update.

To install the Outlook E-mail Security Update for Outlook 2000 SR-1 or earlier, see the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?FamilyID=96DF48A9-7638-429E-816E-35F16F6528CA&displaylang=EN

If you are using Microsoft Internet Explorer 5.01 Service Pack 1 or Microsoft Internet Explorer 5.5 Service Pack 1, apply the following patch for MS01-027:

http://www.microsoft.com/technet/security/Bulletin/MS01-027.mspx

If you are a home user or consumer, use the following link to update your systems, and then download the Outlook E-mail Security Update if you are using Microsoft Office 2000 Service Release 1 (SR-1) or Microsoft Outlook 98:

http://windowsupdate.microsoft.com/

http://www.microsoft.com/downloads/details.aspx?FamilyID=96DF48A9-7638-429E-816E-35F16F6528CA&displaylang=EN

Recovery
If your computer is infected with this virus, update your virus signatures to detect and remove the virus, and then follow your antivirus vendor's instructions for virus removal.

Related Microsoft Knowledge Base Articles
For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

255994 How to protect against virus infection from messages received with attachments in Outlook 2000

256001 How to protect against virus infection from messages received with attachments in Outlook 98

264519 Outlook Express and the Outlook E-mail security update

291387 Using virus protection features in Outlook Express 6

Related Security Bulletins
http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.e@mm.html

http://www.sophos.com/virusinfo/analyses/w32kleze.html

Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

