TrendLabs Malware Blog
Glossary
TrendWatch
TrendLabs Twitter
WORM_KLEZ.C
Overview
Solution

Malware type: Worm

Aliases: KLEZ.C, I-Worm.Klez.C, W32/Klez.C@mm, W32.Klez.gen@mm

In the wild: Yes

Destructive: Yes

Language: English

Platform: Windows

Encrypted: Yes

Overall risk rating:

Reported infections:

Damage potential:

 High

Distribution potential:

 High

Description: 
This destructive, persistent, memory-resident, multi-process, and multi-threaded worm spreads a copy of itself via email and network shared drives. This worm consists of two components - the main worm and a destructive Windows executable infector. Trend Micro antivirus detects the Windows file infector component of this worm as PE_ELKERN.A.

This worm sends email that exploits a known vulnerability on systems using Internet Explorer 5.01 and 5.5. This vulnerability allows the attachment to execute automatically when the email is simply previewed using the Microsoft Outlook and Outlook Express preview pane.

More information on this vulnerability is available at the Microsoft article Incorrect MIME Header Can Cause IE to Execute E-mail Attachment.

This worm sends email with the following details, but may also be blank on certain fields:

From: <any of the following>
king@21cn.com
flag@21cn.com
super@21cn.com
bill@7135.com
caijob@online.sh.cn
zhouyuye@citiz.net
sxf@7135.com
caijob@online.sh.cn
DNA_seraph@163.com
icelu@7135.com
lubing@7135.com
AlexGuly@163.com
caijob@online.sh.cn
reecky@online.sh.cn
tongyc325@online.sh.cn
yjworks@online.sh.cn
xiaoxuan@online.sh.cn
jlchang@online.sh.cn
yjworks@online.sh.cn
bigym@online.sh.cn
raysong@online.sh.cn
tyw@online.sh.cn
tongyc325@online.sh.cn
zhenghf@online.sh.cn
wuzheng@online.sh.cn
samsun@online.sh.cn
leftright@online.sh.cn
jiangxianlou@21cn.com
samsun@online.sh.cn
jackyhe@online.sh.cn
ericpan@online.sh.cn
xuwenhui@online.sh.cn
shonline@online.sh.cn
cheung_hb@online.sh.cn
greece@online.sh.cn
fanliying@21cn.com
admin@sinotruck.com
luoairong@21cn.com
hamada@seikosangyo.com

Subject: <any of the following>
Hi
Hello
How are you?
Can you help me?
We want peace
Where will you go?
Congratulations!!!
Don't cry
Look at the pretty
Some advice on your shortcoming
Free XXX Pictures
A free hot porn site
Why don't you reply to me?
How about have dinner with me together?
Never kiss a stranger

Message Body: <any of the following>
I'm sorry to do so,but it's helpless to say sorry.
I want a good job,I must support my parents.
Now you have seen my technical capabilities.
How much my year-salary now? NO more than $5,500.
What do you think of this fact?
Don't call my names,I have no hostility.
Can you help me?

Attachment:
<Random filename with .EXE extension - 135,168 Bytes>

Read more about the KLEZ variants.

For additional information about this threat, see:
Solution
Technical Details

Description created: Mar. 19, 2002 6:30:05 PM GMT -0800
Description updated: Mar. 19, 2002 6:55:44 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.