- Files wqk.exe and Winq???.exe in the system folder (usually C:\Windows\System);
The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus.it detects all the known Klez versions (A, B, C, D, E, G, H);
Important: You will have to close all applications before running the
tool (including the antivirus shields) and to restart the computer afterwards.
Additionally you'll have to manually delete the infected files located in archives
and the infected messages from your mail client.
The BitDefender AntiKlez tool does the following:
it deletes the files infected with Win32.Klez;
it disinfects the files detected as Elkern (A, B, C);
it kills the process from memory;
it repairs the Windows registry.
You may also need to restore the affected files.
Costin Ionescu BitDefender Virus Researcher
This new version of Klez comes as an executable file attached to the infected mail and has a random name. The mail contains the same exploit as its predecessors. The mail can have several formats and contains the texts in subject and body:
- Undeliverable mail—“”
- Returned mail—“”
- 'a %s %s game
- 'a %s %s tool
- 'a %s %s website
- 'a %s %s patch
- '%s removal tools
where %s is one of the next text:
- IE 6.0
- how are you
- let's be friends
- don't drink too much
- your password
- some questions
- please try again
- welcome to my hometown
- the Garden of Eden
- introduction on ADSL
- meeting notice
- Japanese girl VS playboy
- look,my beautiful girl friend
- eager to see you
- spice girls vocal concert',
- Japanese lass’ sexy pictures
- The following mail can't be sent to :
- The attachment
- The file
- is the original mail
- give you the
- is a dangerous virus that
- can infect on Win98/Me/2000/XP.
- spread through email.
- For more information,please visit
- This is
- I you would it.
- New year
- Saint Valentine’s Day
- April Fools’ Day
- Lady Day
- All Souls’Day
The virus attempts to remove from memory more viruses than its previous version and even its earlier version.
It also spreads through shares in the local network by dropping a file with the name one of:
and an executable extension (bat, exe, scr).
Or a RAR archive with a random name which contains the file specified above.
Also, it contains the file infector Win32.Elkern.B, a new version of Win32.Elkern.A, which will be dropped and executed as the file %system%\wqk.exe
The virus contains the text:
Win32 Klez V2.0 & Win32 Elkern V1.1,(There nick name is Twin Virus*^__^*)
Copyright,made in Asia,announcement:
1.I will try my best to protect the user from some vicious virus,Funlove,Sircam,Nimda,CodeRed and even include W32.Klez 1.X.
2.Well paid jobs are wanted
3.Poor life should be unblessed
4.Don't accuse me.Please accuse the unfair s**t world