Informational Alert: The Klez worm and variants. 05/02/02 1:25 pm

CIT has received many calls regarding the Klez worm and its variants. Most of these calls concerned email alerts sent by antivirus software running on email servers. Many of the email alerts were received in error; they were not sent to the user of the infected computer. This is because several viruses now spoof sender addresses-the virus-infected message actually comes from someone other than the person listed on the "From:" line.

Some general facts about Klez and Klez variants:

• The Klez virus only runs on the Microsoft Windows platforms.
• Klez is a mass mailer. It emails a copy of itself to addresses it can find on the infected client (using email address books).
• Some Klez variants can spoof a sender's email address. When one of these Klez variants executes it will choose an address from the address book it finds and sends email out with that email address on the "From:" line.
• Klez can gather email addresses from many files on the infected client machine including the client's address book, contacts, internet cache and documents.
• Klez has its own SMTP service and does not need to use the infected client's email client to send itself out.
• Klez may send itself out with a random subject line, random attachment name, and random text within the body.
• Some of the Klez variants are network aware. These variants will attempt to write itself to all network shares to which the infected client has write privileges (such as your home directory).
• Some Klez variants make use of the IFrame vulnerability in Internet Explorer to automatically execute when an infected email is viewed in the preview pane of the Outlook mail client.

How is the NIH protected against the Klez virus and its variants?

The NIH has scanners at the gateway, on email servers, on desktops and file servers that detect and remove Klez and its variants.

How can I protect myself from the Klez virus and its variants?

It is critical that you keep your antivirus software up-to-date and enabled (turned on). Be cautious of unsolicited email, you might want to question that the sender would send a specific message to you. Because Klez can spoof email addresses you may receive an email from someone you know (such as your supervisor) that they never in fact sent.

I keep receiving email alerts stating I have sent a virus. What can I do?

Because Klez can spoof the sender's address, you may receive alerts stating you have sent a virus when you haven't sent any email to the person(s) indicated in the alert (you may not even know who they are). CIT is working to filter out such false alarms as best as possible but at this time there is no immediate remedy to this problem.

How can I verify I do not have the Klez virus or its variants?

To verify that you are not infected with the Klez virus or its variants make sure your antivirus software is up-to-date and enabled. Also run a full system scan that scans all of your hard drives. For assistance in configuring your antivirus software to run a system scan contact your local desktop support or contact TASC at 301-59GOCIT (301-594-6248).