Win32:Klez-H

is an Internet worm that also contains a compressed copy of the new variant of Win32:Elkern virus, which is dropped and executed when the worm is run. It is quite similar to the other variants of this dangerous virus.

This worm searches for email address entries in the Windows address book, in ICQ list and in the files on the disk. It uses its own mailing routine.

The infected email has the following characteristics:
Subject line: is eihter random, empty or is composed from the following strings:

• Undeliverable mail--, Returned mail--, game, tool, website, patch, removal tools, how are you, let's be friends, darling, so cool a flash, enjoy it, your password, honey, some questions, please try again, welcome to my hometown, the Garden of Eden, introduction on ADSL, meeting notice, questionnaire, congratulations, sos!, japanese girl VS playboy, look,my beautiful girl friend, eager to see you, spice girls' vocal concert, japanese lass' sexy pictures, new, funny, nice, humour, excite, good, powful, WinXP, IE 6.0, W32.Elkern, W32.Klez.E, Symantec, Mcafee, F-Secure, Sophos, Trendmicro, Kaspersky.

The sender address which appears in a message is chosen from a list inside the worm, so the real sender is not the one written in the message.

The worm attempts to use the well known MIME security hole in the MS-Outlook, MS-Outlook Express, and Internet Explorer to run the attachment automatically.

The worm copies itself to the Windows System directory under a random filename. Then it adds the registry key in the section HKLM\Software\Microsoft\Windows\CurrentVersion\Run to let execute itself on Windows startup. The worm may is also able to spread to remote shared disks on the network using random filenames. It also tries to disable several anti-virus products and delete some anti-virus related files.

Removal:
To remove this virus please use free avast! Virus Cleaner.

Any avast! with VPS file dated on or after 17th April 2002 is able to detect this worm.