Manually removing an infection from your computer can put your data at risk for damage that may or may not be recoverable. Central Command strongly recommends that you backup all of your data prior to attempting to remove an infection or repair any damage causes by an infection.
Type: Internet and Network Worm, written in Visual C language
W32/Klez-E is a slight modification of Worm/Klez-A is an Internet worm capable of spreading through the local network under Windows 32-bit systems and infected EXE Files. In order to be able to remain as a resident virus in the workspace, it infects the file KERNEL32.DLL.
The worm arrives through e-mail in the following format:
Subject Lines include (but not limited too):
- Fw: A nice game
- Re: A WinXP patch
- Re: Good removal tools
- Fw: A humour website
- how are you
- For more information, please visit
Body Text (examples):
- This is a nice game
This is my first work.
Your’re the first player.
I would expect you would enjoy it
- Hello,This is a humour game
This game is my first work.
You’re the first player.
I expect you would like it.
It uses an exploit (a security hole) that allows the attachment to be executed when viewing the message with Microsoft Outlook Express or Outlook (without Service Packs installed). This method is similar to the one used by Nimda or Kak worms.
Microsoft has issued a patch which protects users against this vulnerability.
Once executed, the virus decrypts all series containing text (to avoid them to be seen by somebody who is trying to study what the virus includes) and it tries to hide itself from the application list. It creates a new paragraph at the end of an infected .exe file, in which it stores its code. The virus does not infect all EXE Files or programs.
When infecting the KERNEL32.DLL the virus stores this file under the file name KLEZED.TT6 and when the system is then restarted the KERNEL32.DLL is replaced (with the help of an appropriate entry in the WININIT.INI by the file KLEZED.TT6). The virus changes the address ranges of the external Windows instruction, so that these are included into the program code of the virus. Thererfore, modifiying the sixteen KERNEL32 functions: delete, modifying the file attributes and many more open, copy file, etc.
The virus creates an execution thread, which monitors all running applications, and if there are any applications belonging to an anti-virus program, it closes them.
The following files are terminated:
N32SCANW.EXE, NAVAPSVC.EXE, NOD32.EXE, NAVAPW32.EXE, NAVWNT.EXE, NAVLU32.EXE, NAVRUNR.EXE, NPSSVC.EXE, NSCHEDNT.EXE, SCAN.EXE, SMSS.EXE, _AVP32.EXE, _AVPM.EXE, NSPLUGIN.EXE
The next thing the virus does is creating a file named wqk.exe in the system directory, which includes the Win32.Elkern.A virus, which it kept compressed in its body. This virus is a file infector that runs on Windows 98 or Windows Me.
The virus launches another execution threads: one for infection through the Internet, one for network infection. If the system’s set date is a uneven month (January, March, etc) and the day is 6th, the virus starts its payload routine scanning local disks (or drives mapped from the network) and fills the files it finds with random data, permanently destroying them, the files with the following extensions are damaged: .bak, .c, .cpp, .doc, .htm, .html, .jpg, .mp3, .mpeg, .mpg, .pas, .txt, .wab, and .xls. If the month is equal to January or July the main payload is carried out.
The thread dedicated to Internet infection searches for all contacts in the Windows Address Book. In order to send messages to these addresses it also generates a SMTP server list using own SMTP rountine and the domain name from the e-mail addresses and adding the .smtp prefix.
The thread for network infection reactivates every 8 hours and scans the network, leaving in certain shared directories copies of the virus, but bearing an apparently random name and a double extension. This name is actually the name of the last file that the execution threads scanning the local disks went over, adding to it the extension .exe.