My Bitdefender
  • 0 Shopping Cart


Facebook Twitter Google Plus


80 Kbytes


- Files wqk.exe and Winq???.exe in the system folder (usually C:\Windows\System);

Removal instructions:

The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus.

Important: You will have to close all applications before running the
tool (including the antivirus shields) and to restart the computer afterwards.
Additionally you'll have to manually delete the infected files located in archives
and the infected messages from your mail client.

The BitDefender AntiKlez tool does the following:
  • it detects all the known Klez versions (A, B, C, D, E, G, H);

  • it deletes the files infected with Win32.Klez;

  • it disinfects the files detected as Elkern (A, B, C);

  • it kills the process from memory;

  • it repairs the Windows registry.

  • You may also need to restore the affected files.

    Analyzed By

    Costin Ionescu BitDefender Virus Researcher

    Technical Description:

    This new version of Klez comes as an executable file attached to the infected mail and has a random name. The mail contains the same exploit as its predecessors. The mail can have several formats and contains the texts in subject and body:

    - Hi,
    - Hello,
    - Re:
    - Fw:
    - Undeliverable mail—“
    - Returned mail—“
    - 'a %s %s game
    - 'a %s %s tool
    - 'a %s %s website
    - 'a %s %s patch
    - '%s removal tools

    where %s is one of the next text:

    - new
    - funny
    - nice
    - humour
    - excite
    - good
    - powful
    - WinXP
    - IE 6.0
    - W32.Elkern
    - W32.Klez


    - how are you
    - let's be friends
    - darling
    - don't drink too much
    - your password
    - honey
    - some questions
    - please try again
    - welcome to my hometown
    - the Garden of Eden
    - introduction on ADSL
    - meeting notice
    - questionnaire
    - congratulations
    - sos!
    - Japanese girl VS playboy
    - look,my beautiful girl friend
    - eager to see you
    - spice girls vocal concert',
    - Japanese lass’ sexy pictures
    - The following mail can't be sent to :
    - The attachment
    - The file
    - is the original mail
    - give you the
    - is a dangerous virus that
    - can infect on Win98/Me/2000/XP.
    - spread through email.
    - For more information,please visit
    - This is
    - I you would it.
    - Christmas
    - New year
    - Saint Valentine’s Day
    - Allhallowmas
    - April Fools’ Day
    - Lady Day
    - Assumption
    - Candlemas
    - All Souls’Day

    The virus attempts to remove from memory more viruses than its previous version and even its earlier version.

    It also spreads through shares in the local network by dropping a file with the name one of:

    - setup
    - install
    - demo
    - snoopy
    - picacu
    - kitty
    - play
    - rock

    and an executable extension (bat, exe, scr).

    Or a RAR archive with a random name which contains the file specified above.

    Also, it contains the file infector Win32.Elkern.B, a new version of Win32.Elkern.A, which will be dropped and executed as the file %system%\wqk.exe

    The virus contains the text:

    Win32 Klez V2.0 & Win32 Elkern V1.1,(There nick name is Twin Virus*^__^*)
    Copyright,made in Asia,announcement:
    1.I will try my best to protect the user from some vicious virus,Funlove,Sircam,Nimda,CodeRed and even include W32.Klez 1.X.
    2.Well paid jobs are wanted
    3.Poor life should be unblessed
    4.Don't accuse me.Please accuse the unfair s**t world