in32:Klez-E
in32:Klez-EThe sender address which appears in a message is chosen from a list inside the worm, so the real sender is not the one written in the message.
The worm attempts to use the well known MIME security hole in the MS-Outlook, MS-Outlook Express, and Internet Explorer to run the attachment automatically.
The worm copies itself to the Windows System directory under a random filename. Then it adds the registry key in the section HKLM\Software\Microsoft\Windows\CurrentVersion\Run to let execute itself on Windows startup. The worm may is also able to spread to remote shared disks on the network using random filenames. It also tries to disable several anti-virus products and delete some anti-virus related files.
On the 6th of March, May, September and November the worm will overwrite files on all drives which have one of the following extensions: .TXT, .HTM, .HTML, .WAB, .DOC, .XLS, .JPG, .C, .PAS, .MPG, .MPEG, .BAK and MP3. On the 6th January and July the worm will overwrite all files on all drives.
Removal:
To remove this virus please use our free avast! Virus Cleaner.
Any avast! with VPS file dated on or after 18th January 2002 is able to detect this worm.