• Welcome to AppraisersForum.com, the premier online  community for the discussion of real estate appraisal. Register a free account to be able to post and unlock additional forums and features.

Forum Sponsor - a la mode

QuickSource provides a single-source solution to easily import, compare, and manage data from multiple, credible sources in every report. See what the next game-changer is really all about.

Klez virus: New "mutation"

Not open for further replies.

Julio E. Sune Jr. (FL)

Senior Member
Jan 16, 2002
Professional Status
Certified Residential Appraiser
This is the body of the main message from ZDNET--[ Klez.h]
{Still can't figure out what happened to the above links}

Klez.h worm continues to spread
By Robert Vamosi
ZDNet Reviews
April 23, 2002

Another member of the Klez worm family is spreading fast across the Internet.
Klez.h ([email protected], also known as Klez.g and Klez.k) is a significant
variation of existing worms Klez.e and Klez.a. Klez.h has evolved dramatically
enough to be able to slip past recent antivirus signature files on some PCs. A
few users will need to update their antivirus signature files to specifically
include Klez.h. Because of its rapid spread, Klez.h rates a 6 on the ZDNet
Virus Meter.

How it works
Klez.h arrives as e-mail with a subject line that contains 1 of approximately 120 phrases, such as:

Re: A WinXP patch
Undeliverable mail--"(random)"
Returned mail--"(random)"
(random)(random) game
(random) (random) tool
(random) (random) website
(random) (random) patch
(random) removal tools
how are you
let's be friends

Some of the random words above are specific antivirus software vendor names or
virus-specific names. The body text of the infected e-mail also has many variations and may include one of the following:

This is a special humour game
This is my first work.
Your're the first player.
I would expect you would enjoy it (virus name) is a dangerous virus that spread through email.
(Antivirus vendor) give you the (virus name) removal tools. For more information, please visit
http://www.(antivirus vendor).com

Once active on a PC, Klez.h bypasses installed e-mail software by using its own SMTP
server to send infected copies of itself. To locate addresses, the worm searches files on the hard drive, looking for various file extensions that may contain e-mail addresses. On
networked drives, Klez.h will simply copy itself to remote disk drives by creating a random filename, then adding an .exe, .pif, .com, .bat, or .scr extension.

Like several other recent worms, Klez.h attempts to disable antivirus software installed on the infected computer. For more details regarding the original Klez worm, see this alert; for details on the previous variation Klez.E, see this alert.

Klez.h contains an upgraded version of the Elkern virus. Elkern.c (w32.elkern.c) runs under Windows 98, Me, 2000, and XP. Elkern.c adds a hidden file, wqk.exe, to Registry entry
HKLMSoftwareMicrosoftWindowsCurrentVersionRunWQK, which is in Windows 98 and Me. Under Windows 2000 and XP, it adds wqk.dll to Registry key
HKLMSoftwareMicrosoftWindowsNTCurrentVersionWindowsAppInit_DLLs. These files are added so that Elkern.c runs anytime Windows is run. Elkern.c can corrupt files without changing their size.

Klez.h uses a well-known vulnerability in Outlook Express that is included in versions of
Internet Explorer 5.01 and 5.5. Microsoft has previously released a patch for this. Users who have not loaded the patch are encouraged to do so or to upgrade to Internet Explorer 6 using the full installation setting.

All antivirus software companies have updated their signature files to include Klez.h. This will stop the infection upon contact and in some cases additional tools are available to help you remove an active infection from your system. For more information, see Central Command, Computer Associates, F-Secure, Kaspersky,McAfee, Norman, Panda, Sophos, Symantec, and Trend Micro.
:( :(
Not open for further replies.
Find a Real Estate Appraiser - Enter Zip Code

Copyright © 2000-, AppraisersForum.com, All Rights Reserved
AppraisersForum.com is proudly hosted by the folks at

AdBlock Detected

We get it, advertisements are annoying!

Sure, ad-blocking software does a great job at blocking ads, but it also blocks useful features of our website. For the best site experience please disable your AdBlocker.

I've Disabled AdBlock
No Thanks