newbanner.jpg (25937 bytes)

   News 
   Documentation
  Help		 Training
Labs
Contacts  		Connecting
 About   
Purchases		 Policies
TTU Home  
ITS Home

Klez & ElKern Email Viruses

These are MEDIUM RISK viruses that can infect you immediately upon reading the email, if you use Microsoft Outlook or Outlook Express to read email. The infected email can come from addresses that you recognize.  It can also infect you through network shares.

From Symantec (Norton) - 

W32.Klez.gen@mm is a mass-mailing worm that searches the Windows address book for email addresses and sends messages to all recipients that it finds. The worm uses its own SMTP engine to send the messages.

The subject and attachment name of incoming emails is randomly chosen. The attachment will have one of the following extensions: .bat, .exe, .pif or .scr.

The worm exploits a vulnerability in Microsoft Outlook and Outlook Express in an attempt to execute itself when you open or even preview the message. Information and a patch for the vulnerability can be found at
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp.
W32.Klez.gen@mm attempts to copy itself to all network shared drives that it finds.

Depending on which variant of the worm, the worm will drop one of the following viruses:

which will then infect the system.

Also, it will use a return email address of someone other than the person infected, making it look like it is being sent by a person who didn't really send it. This especially makes it difficult to determine who is really infected.

Removal - We are trying to get to faculty and staff on-campus who call as soon as possible to clean the virus.  Most have been protected by Norton AntiVirus, and only received a message about the email being infected and getting quarantined.

Symantec has released a cleaning program via the site listed below.  However, you must follow the instructions carefully, and it usually leaves infected programs damaged such that they will have to be reinstalled.  No data is lost, though.  Trend Micro has also released a fix tool (on their site below), but we are still testing its effects.  Both of these must be used in Safe Mode and should be run repeatedly until they show no infection found.

If you would like to check your machine for any viruses, try the Norton AntiVirus Online Scanner  It will prompt you a few times with a security warning about installing a little program from Symantec.  Choose Yes each time to allow it to function.  You will then see it scanning all your files.  However, this will NOT clean your computer.  

If you have any questions or concerns, please contact MicroSupport@tntech.edu or 372-6315.

More Information:

This page maintained by: Jim Johnson
Last updated: September 15, 2003