Having Klez hit a couple mailing lists I’m on, I compiled some useful links into this message:
A pox on the Klez author(s).
I’d like to also thank Microsoft and its monopoly position for generating the lax security procedures and resultant execution environment that Klez exploits.
For folks who haven’t updated Internet Explorer in a while and whose mailer uses IE to display the HTML message, the worm can run *without* opening the attachment — just viewing or even previewing the message (which will appear blank) is enough.
The IE vulnerability is about a year old, and is documented in “Incorrect MIME Header Can Cause IE to Execute E-mail Attachment” <http://www.microsoft.com/technet/security/bulletin/ms01-020.asp>.
You should update Internet Explorer (part of which is used by mail programs to display email, which is how the worm gets itself executed) from this page:
<http://www.microsoft.com/windows/ie/downloads/critical/Q321232/> (May 15)
Here are two antivirus tools which you may find useful. I have not tried either; use them at your own risk.
<http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.removal.tool.html>
<http://housecall.antivirus.com/>
More about Klez:
<http://www.wired.com/news/technology/0,1282,52174,00.html>
<http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.gen@mm.html>
<http://vil.mcafee.com/dispVirus.asp?virus_k=99455>
<http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_KLEZ.A>
<http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_KLEZ.B>
<http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_KLEZ.C>
<http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_KLEZ.D>
<http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_KLEZ.E>
<http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_KLEZ.F>
<http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_KLEZ.G>
<http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_KLEZ.H>
<http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_KLEZ.I>
<http://www.sophos.com/virusinfo/analyses/w32klez.html>
<http://www.sophos.com/virusinfo/analyses/w32klezb.html>
<http://www.sophos.com/virusinfo/analyses/w32klezc.html>
<http://www.sophos.com/virusinfo/analyses/w32klezd.html>
<http://www.sophos.com/virusinfo/analyses/w32kleze.html>
<http://www.sophos.com/virusinfo/analyses/w32klezf.html>
<http://www.sophos.com/virusinfo/analyses/w32klezg.html>
<http://www.sophos.com/virusinfo/analyses/w32klezh.html>
(This message is released for use, redistribution, or modification under the OpenContent License <http://opencontent.org/opl.shtml>. In plain English, the license relieves the author of any liability or implication of warranty, grants others permission to use the Content in whole or in part, and ensures that the original author will be properly credited when the Content is used. It also grants others permission to modify and redistribute the Content if they clearly mark what changes have been made, when they were made, and who made them. Finally, the license ensures that if someone else bases a work on OpenContent, the resultant work will be made available as OpenContent as well. Please send comments, suggestions or edits to the author, Peter Kaminski <kaminski@istori.com>. Thanks!)