- File Wink??.exe in the %system% directory (usually C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000) or C:\Windows\System32 (Windows XP));
- A file with a random name and extension .exe in the folder C:\Program Files
The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus.it detects all the known Klez versions (A, B, C, D, E, G, H);
Important: You will have to close all applications before running the
tool (including the antivirus shields) and to restart the computer afterwards.
Additionally you'll have to manually delete the infected files located in archives
and the infected messages from your mail client.
The BitDefender AntiKlez tool does the following:
it deletes the files infected with Win32.Klez;
it disinfects the files detected as Elkern (A, B, C);
it kills the process from memory;
it repairs the Windows registry.
You may also need to restore the affected files.
Costin Ionescu BitDefender Virus Researcher
This is a new version of the virus Klez having a few changes from the last version (Win32.Klez.E@mm).
It comes as an attached file in a mail with the format similar to its previous version: Subject: - how are you
- let's be friends
- so cool a flash,enjoy it
- your password
- some questions
- please try again
- welcome to my hometown
- the Garden of Eden
- introduction on ADSL
- meeting notice
- japanese girl VS playboy
- look,my beautiful girl friend
- eager to see you
- spice girls'vocal concert
- japanese lass\' sexy pictures
- Undeliverable mail--"%s\"'
- Returned mail--"%s\"'
Where %s is replaced with a stolen subject from other e-mails
It also attaches another
file taken from the root directory, besides the file which contains the virus.
An example is this:
In addition to the mail bodies presented in the previous version it has another
message: Klez.E is the most common world-wide spreading worm. It's very dangerous by corrupting your files. Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it. We developed this free immunity tool to defeat the malicious virus. You only need to run this tool once,and then Klez will never come into your PC.
NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV monitor maybe cry when you run it.
If so,Ignore the warning,and select 'continue'.
If you have any question,please mail to me.
An example of such e-mail is this:
It uses the IFRAME exploit to execute automatically when the user previews the
message (with Outlook or Outlook Express). You can find description and patch for the IFRAME exploit at this link:
When it is executed the virus copies itself in the %system%
a name starting with wink.
Another major difference from the last version is that the virus that it carries with it is a new version Win32.Elkern.C. It drops this file infector in the directory C:\Program Files
with a random name and executes it.
It uses the same methods of spreading through e-mail and network as the other KLEZ versions.
The virus contains the follwing text: Win32 Klez V2.01 & Win32
Copyright 2002,made in Asia
About Klez V2.01:
1,Main mission is to release the new baby PE virus,Win32 Foroux
2,No significant change.No bug fixed.No any payload.
About Win32 Foroux (plz keep the name,thanx)
1,Full compatible Win32 PE virus on Win9X/2K/NT/XP
2,With very interesting feature.Check it!
3,No any payload.No any optimization
4,Not bug free,because of a hurry work.No more than three weeks from having
such idea to accomplishing coding and testing.