Win32/Klez.E

Win32/Klez.E is a worm spreading as a file attachment of the email messages. Subject of the message, name of the file in the attachment (but not its extension), and the body of the message are random.
The worm exploits a security vulnerability found in various versions of the Microsoft Outlook and Outlook Express applications. The description of the vulnerability can be found at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp. On computers that do not have the vulnerability treated the worm may be activated already by displaying the message overview.
After being activated the worm copies itself as the file Wink*.exe into the subdirectory SYSTEM (Windows 9x/ME) or SYSTEM32 (Windows NT/XP/2000) in the directory with the operating system. Instead of the character "*" there will be 2 or 3 lowercase letters in the filename. To ensure its activation after the system restart the worm creates a key in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.
The worm tries to deactivate resident anti-virus programs Norton Antivirus, Scan, Antivir, Sophos Antivirus, AVP/KAV, F-Secure, F-PROT, NOD32, PC-cillin. It may delete files containing check sums of specific anti-virus programs.
The worm is able to spread on local computer networks as an EXE file with doubled extension and as an RAR archives containing the worm with doubled extension, respectively.
Addresses to which it will send out its copies the worm gets from WAB files and from the list of ICQ users. The file attached to the message sent out by the worm has an extension PIF, SCR, EXE or BAT. The name of the file is randomly generated.
The worm creates the virus Win32/ElKern.B on the disk. On the 6th day of odd months it overwrites files on disk by random data.

Threat Encyclopedia

Virus, spyware, worms and other threat descriptions

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Klez.E