One of the more confusing aspects of Klez is the spoofing of the From address in the infected email. This means that a Klez email may not be from the person it appears to be. Only a check of the source headers can verify the true sender. Many antivirus and gateway products designed to send automatic alerts are stymied by this simple trick and thus perfectly innocent persons are identified as the "senders" and sent erroneous bounce messages while the true sender remains oblivious to the fact that the Klez virus is sending itself from their infected machines.
What does the message look like? The email message carrying Klez varies drastically. Many of the messages have no body text and the subject line may be any of the following:
Hi | Hello | How are you? | Can you help me? | We want peace | Where will you go? | Congratulations!!! | Don't cry | Look at the pretty | Some advice on your shortcoming | Free XXX Pictures | A free hot porn site | Why don't you reply to me? | How about have dinner with me together? | Never kiss a stranger | how are you | let's be friends | darling | don't drink too much | your password | honey | some questions | please try again | welcome to my hometown | the Garden of Eden | introduction on ADSL | meeting notice | questionnaire | congratulations | sos! | japanese girl VS playboy | look,my beautiful girl friend | eager to see you | spice girls' vocal concert | japanese lass' sexy pictures | [virusname] removal tools | Worm Klez.E immunity | FOLODE | sexyy Screen Saver | A WinXP patch | Unknown | the list | A new game | A funny game | A IE 6.0 patch | A excite game | A humour game | A nice game | A powful tool | A funny website | A new website | A very humour game | A very excite game | A special new game | A very nice game | A very new game | A very funny game | A good tool | !"#$ | FW: | A special excite game | A special funny game | BETIBI | A special humour game | A special nice game | JOVOUE | A very new website
The virus also uses holiday specific themes at appropriate times during the year. Given the many flavors, it should be rather obvious that trying to identify Klez by its subject line or message body is likely not the most effective means, nor is filtering on all of the above words a prudent idea (consider the number of times some of these, such as "how are you", or "honey", might appear in legitimate emails).
What is the attachment named? The attachment name is random. The extension can be .bat, .exe. .pif, or .scr. However, Klez uses a double extension ruse to try to disguise itself. Those running the default installation of Windows will not see the true extension, but instead any one of the following types: .txt, .htm, .html, .wab, .doc, .xls, .jpg, .cpp, .c, .pas, .mpg, .mpeg, .bak, .mp3, or .pdf. Visit the Infected Attachments Center to learn how to make the necessary changes so your system displays the proper extension.
How can I prevent Klez? You can minimize your risk of infection by visiting the Email Help Center and following the steps outlined for your mail client. Be sure to follow all the steps outlined therein, as Klez also exploits a security vulnerability which allows the attachment to automatically execute on unpatched systems. Of course, keeping your antivirus software up-to-date is imperative.
How can I remove Klez? Both F-Secure and Symantec have released free tools to remove Klez variants from the system. You will first need to scan your system with updated antivirus software to determine exactly which variant you have, then use the appropriate tools to remove it.
F-Secure tool
Be sure to read the KLEZTOOL.TXT file included in the ZIP archive before using the tool.
Symantec Tool
I got an email from someone who said I sent them the Klez virus. I scanned my system and my antivirus says I'm not infected. What gives?
Klez can spoof the From address, making it appear that it came from someone it did not. For more information on this cunning aspect of Klez, see the article, Where From Art Thou, Klez?
