MORE INFORMATION

The Klez virus uses the vulnerability that is mentioned in the Microsoft Security bulletin, MS01-020, to automatically start in the preview pane of Microsoft Outlook without a user opening the e-mail message. The Klez virus also drops another virus as its payload.

The Klez virus deletes program files, generates a mass mailing by using the Outlook Address Book as the address source, and drops an additional virus payload.

Other Products That Are Affected

Non-Microsoft Web-based e-mail programs are affected.

Technical Details

The e-mail message that carries the Klez virus arrives with a standard Subject line that the virus chooses randomly from a list that it maintains, but sometimes the virus uses a completely random subject. The text that the virus inserts in the e-mail message is also random. The virus chooses the attachment type randomly from the following file types:

• .pif
• .scr
• .exe
• .bat

The Klez virus attempts to delete certain files that are associated with antivirus programs, copy itself to network shares, and then mass mail itself to all of the entries in the Outlook Address Book. Klez makes use of a product vulnerability that is fixed by Microsoft Security bulletin MS01-027 to automatically open the in the preview pane.

The Klez virus also drops an additional virus payload that is known as "El-Kern-B," which is believed to be a variant of "El-Kern-A." This virus infects computers over a local area network (LAN) or other network, and then overwrites the contents of files on the infected computer, possibly triggered on a certain date or by a restart.

Prevention

If you are using Outlook 2000 Service Release (SR-1) or earlier, install the Outlook E-mail Security Update to prevent this virus, and the majority of other viruses that are borne by e-mail messages, from running. Outlook 2000 Service Pack 2 (SP2) and Microsoft Outlook 2002 automatically contain the functionality that is contained in the Outlook E-mail Security Update.

To install the Outlook E-mail Security Update for Outlook 2000 SR-1 or earlier, see the following Microsoft Web site:

If you are using Microsoft Internet Explorer 5.01 Service Pack 1 or Microsoft Internet Explorer 5.5 Service Pack 1, apply the following patch for MS01-027:

If you are a home user or consumer, use the following link to update your systems, and then download the Outlook E-mail Security Update if you are using Microsoft Office 2000 Service Release 1 (SR-1) or Microsoft Outlook 98:

Recovery

If your computer is infected with this virus, update your virus signatures to detect and remove the virus, and then follow your antivirus vendor's instructions for virus removal.

Related Microsoft Knowledge Base Articles

For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

Related Security Bulletins

Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.