Related Resources • Virus Encyclopedia • Glossary of terms

Elsewhere on the Web • F-Secure Description • February Top 20

Using a complicated payload routine, Klez.E keeps a constant check on the system date. According to F-Secure, when the month number is odd (1, 3, 5, etc.) and the date is equal to 6 (i.e. March 6th), the worm overwrites all txt, htm, html, wab, doc, xls, jpg, cpp, c, pas, mpg, mpeg, bak, and mp3 files with random data. In the odd months of January and July, the payload is even more severe, overwriting all files found on local and network drives.

"Klez.E activation routine is destructive", comments Mikko Hypponen, Manager of Anti-Virus Research at F-Secure. "It overwrites data files such as Word DOC files, Excel XLS files, MP3 music files, website HTML contents and ASCII text files. Even worse, it does this not only on the infected machine but also in the local network. One infected PC with write access can overwrite data companywide".

While F-Secure reports that Klez.E is one of the top ten viruses affecting users worldwide, other antivirus vendor prevalency reports vary. For example, Kaspersky Labs reports the Klez worm family as the most prevalent, constituting 61.5% of reports from their users. Antivirus vendor Sophos reports similar findings, noting that Klez.E is the third most prevalent virus reported by their customers. Computer Associates, developers of eTrust Antivirus, concur, listing Klez.E as the most prevalent virus for the week ending March 3, 2002. Conversely, Trend Micro's Virus Tracking Center strangely sees no incidents of Klez in the top ten worldwide threats, nor does McAfee's comparable Regional Virus Info, based on reports derived as of March 5, 2002. Certainly many users have the potential to become infected - MessageLabs ThreatList, which provides a meaningful barometer of what threats are actively spreading in email, shows that Klez.E is the second most prevalent email-borne threat, coming in at a little over half the rate of the top-positioned Sircam virus.

As part of its infection routine, the Klez.E worm stops the processes for Nimda, Sircam, Funlove, CodeRed, and presumably for previous variants of the Klez worm itself. Text found within the viral code states in part, "I will try my best to protect the user from some vicious virus,Funlove,Sircam,Nimda,CodeRed and even include W32.Klez 1.X." This is somewhat ironic considering the overwriting payload present in the Klez.E worm. In addition to stopping the processes of a handful of viruses, the Klez.E worm similarly targets many different antivirus products, including Norton/Symantec, Mcafee, F-Secure, Sophos, AVP, InoculateIT/Computer Associates, PC-cillin/Trend Micro, F-Prot, and NOD32/ESET. This could potentially leave infected users unknowingly without antivirus protection and thus at risk for further infection by other viruses.