The W32/Klez@MM Virus Family Often Forges Its From: Field

This information can be freely reproduced in any medium, as long as the information is unmodified.

The Klez virus affects only PC computers running Windows; Macintosh users, and users of other non-Windows operating systems cannot be infected by this virus. These users may, however, see plenty of infected email from Klez, so its "annoyance factor" is large.

The first Klez variant was discovered in October 2001; more common variants were discovered in January 2002 (Klez.E) and April 2002 (Klez.H). VirusScan users with current antivirus definitions have been protected against the original Klez since October 31, 2001, and Klez in general since January 23, 2002. [Note that Klez.H was recognized "generically" by the VirusScan drivers, even before the virus writer created it!]

The main features of Klez.E and Klez.H are these:

• It often forges its From: field, so that recipients of email with Klez-infected attachments seem to get it from someone who was not the actual sender (and is not the real Klez victim)
  • In particular, it can forge email as if it were from postmaster@<host>. No, this does not mean that postmaster@umich.edu (or postmaster@wherever.else) is infected with a virus. Rest assured that postmaster@umich.edu will never send you an attachment -- and most likely, neither will other postmasters elsewhere.

• It uses a security flaw in unpatched Internet Explorer applications that allows the attachment to be executed w/o opening it.

• The .E variant has a destructive payload that can zap lots of files: prompt action is essential, so that you do not lose data

• The .H variant can spread via open network shares. I recommend that you disable File and Print Sharing, or at least password protect all shared resources.

• Perhaps the most annoying thing is that the virus besmirches the good name and reputation of the apparent sender, who actually isn't involved.

1. Person A's computer gets infected

2. Klez harvests email addresses, including addresses for persons B and C

3. Klez sends email from A's computer, using a From: address of person B, and a To: address of person C.

4. Person C's antivirus software notices that the email "from" person B is infected, so C emails B to warn him or her.

5. Person B scans his or her computer and finds no virus; person B is very confused.

What should you do if:

• If know you are infected by Klez?

  Easy: disinfect with current, top quality antivirus software.

• You receive email you suspect is infected with Klez -- or other viruses, for that matter?

  That's up to you; for suggestions, see our What to do with suspicious email document.

• You receive email that you are sending Klez-infected email?

  This is a bit more involved:

  1. First, you probably are not infected, particularly if you are getting email from the recipient or from some automated announcement system: most of these alerts are well intentioned, but they do not check the full email headers to see who the real sender is.

     [Of course, if you get email from us that you are infected, or from others who ought to know, then there is a much higher chance that your computer is infected. But everyone makes mistakes, so it's not a sure thing!]

  2. Nonetheless, you should check that your computer has top quality antivirus software installed, and that it is current, and that you do not have any viruses on your machine.

  3. Assuming that you have no viruses on your computer, you may want to ask the sender of the alert for more information. In particular, you'll need full email headers; when you receive them, pass this information along to your competent antivirus support personnel. Better yet, Cc: those support folks in your original request, and ask that the full headers, etc., be sent to the support personnel directly.

     U-M folks: you can request that this information be sent to the U-M Virus Busters Team, of course.

  For technical info on the Klez family, see e.g. Network Associates write-ups on Klez.E (leaving our site) and Klez.H (leaving our site), or F–Secure's write up (leaving our site).

The URL for this document is http://www.umich.edu/~virus-busters/klez.html
For virus or hoax info, please see our main page (http://www.umich.edu/~virus-busters/) or go to another reputable site, like The Urban Legends Reference Pages (leaving our site).

   -BPB