Klez Virus information

The Klez virus is a serious problem for Internet advertisers, users, and webmasters.

The mass mailing of this worm and the attachments that are sent clog email systems with large downloads, making the email system useless for 56k modem users. Even with good email filtering anti-virus software, the Klez messages can take upwards of an hour to work through. Several of our Realtors have reported that they can no longer download relevant email messages.
Personally, I receive 5 to 10 Klez email worm infected messages daily as the webmaster for this site.

What can be done to stop this virus problem? I've linked the Symantec (Nortons) anti-virus Klez information page here. This page has a ton of information about how this virus works, how to remove it, and how to protect your system from future infections. You can download the Symantec Klez detection tool from here to find out if you are infected and remove the pest. Updated There is also a free, web based anti-virus scan and removal program available from Trend Micro that has been suggested by one of our site visitors (a full scan of my computer took only 30 minutes using this excellent tool). This is a good second check for whatever anti-virus program you are currently using, and it is free.

From the Symantec website:

Technical Details
This worm searches the Windows address book, the ICQ database, and local files for email addresses. It sends an email message to these addresses with itself as an attachment. The worm contains its own SMTP engine and attempts to guess at available SMTP servers. For example, if the worm encounters the address, it attempts to send email via the server The subject line, message bodies, and attachment file names are random. The From address is randomly chosen from email addresses that the worm finds on the infected computer.

Email spoofing
Some variants of this worm use a technique known as "spoofing" by which the worm randomly selects an address it finds on an infected computer. The worm uses this address as the "From" address when it performs its mass-mailing routine. Numerous cases have been reported in which users of uninfected computers received complaints that they sent an infected message to another individual.

For example, Linda Anderson is using a computer infected with W32.Klez.E@mm. Linda is neither using an antivirus program nor has the current virus definitions. When W32.Klez.gen@mm performs its email routine, it finds the email address of Harold Logan. The worm inserts Harold's email address into the "From" portion of an infected message, which it then sends to Janet Bishop. Then, Janet contacts Harold and complains that he sent her an infected message; however, when Harold scans his computer, Norton AntiVirus does not find anything, because his computer is not infected.

If you are using a current version of Norton AntiVirus and you have the most recent virus definitions, and a full system scan with Norton AntiVirus, which is set to scan all the files, does not find anything, your computer is not infected with this worm.

    The most important things in these quotations are:
  1. The worm uses its own SMTP engine to send the messages - You won't see any virus activity in your normal email program.
  2. Variants of this worm use a technique known as "spoofing". - Other users do not know who sent the virus, so the infected user continues send the virus without knowing they are infected.
  3. The virus scans both cached web pages and address books for email addresses to add to the send list.


The only way you can know that your system is not infected is to use a good anti-virus program and keep it updated. I prefer the Symantec (Nortons) product, other people prefer the McAfee program. You can find the free Trend Micro anti-virus scan here. There are also other free anti-virus programs available.

Thanks for taking the time to read this page and doing your part to keep the internet clean.
If I can be of any help please feel free to contact me.