Klez (pronounced KLEHZ) is an Internet worm that launches automatically when a user previews or reads an e-mail message containing Klez on a system that has not been patched for a vulnerability in Microsoft Internet Explorer mail clients. It is not necessary for a user to explicitly open an attachment in order for Klez to execute. There have been more than a half-dozen variations of Klez since it was first reported in October of 2001. Klez, which consists of two components - the main worm and a Windows executable infector, searches Windows machines for e-mail addresses in everything from documents to cached Web pages. The worm uses its own version of Simple Mail Transport Protocol (SMTP) to mail itself to the addresses it finds. Typically, the subject line in a Klez e-mail is one of 120 pre-programmed possibilities, making the worm difficult for many end-users to recognize. It copies itself to the Windows system directory with a random file name and sets the registry key to point to the worm file so that it runs on startup.
Klez is generally considered to be a nuisance worm because it doesn't carry a destructive payload, but it can overwhelm mail servers and require extensive cleanup time. Klez also has a unique "social" payload because it can spoof the "From:" field in an e-mail. You may receive an angry response to an e-mail you never sent if Klez finds your address in an infected computer and uses it. Some versions of the worm carry the Elkern virus, a malicious code that attempts to disable anti-virus software by targeting files with the names of major anti-virus vendors.
Users can prevent infection by making sure they have installed the patch for the Internet Explorer vulnerability that allows the worm to execute, and by regularly updating their anti-virus software. Symantec, which has upgraded the Klez worm and its variations to a level four threat (on a scale of five), offers a special software tool to remove the worm. Klez is thought to have originated in Asia, possibly in the Guangdong province of China, where Code Red is thought to have originated.