Klez Polymorphic Email Worm

Klez: One of the Most Widespread and Evasive Email Worms of the Early 2000s

Klez is a Windows-based mass-mailing email worm first discovered in October 2001, known for its polymorphic code, aggressive spread, and ability to disable antivirus tools and spoof email identities. Several variants were released throughout 2001–2002, with Klez.H becoming particularly notorious for combining worm behavior with virus-dropping and payload execution. It used its own SMTP engine, scanned address books for targets, and often masqueraded as security updates or documents.

Introduction to Klez

Klez set new standards for malware persistence and annoyance, distributing itself not just through email, but also via network shares and file attachments. It frequently spoofed the sender’s identity, making victims believe trusted contacts were behind the messages. The worm’s polymorphism made it hard to detect, while some variants even mocked antivirus vendors or tried to disable their products.

---

1. How Klez Works

Infection Mechanism:
Klez spread through:

• HTML email messages that exploited the Internet Explorer MIME parsing vulnerability (CVE-2001-0154)
• Attachments with executable file extensions (.exe, .scr, .pif, etc.)
• Shared drives and open network resources
• Users opening infected messages or attachments — in some cases, infection occurred automatically upon preview

Payload Execution:
Once activated, Klez:

• Installed itself on the system and copied itself to the Windows directory
• Sent itself to harvested email addresses using its own SMTP engine
• Randomly selected spoofed senders and subjects to trick recipients
• In some variants:
  • Dropped viruses like Elkern
  • Attempted to disable antivirus software
  • Displayed prank messages or corrupted files
• Saved infected payloads under names like Winklez.exe, Klez.exe, or random combinations

---

2. History and Notable Campaigns

Origin and Discovery:
Klez was first identified in October 2001, and new variants (like Klez.E, Klez.G, Klez.H) continued into mid-2002. It was created by unknown malware authors and is not tied to any known APT or financially motivated group.

Notable Campaigns:

• By early 2002, Klez.H was one of the most reported viruses globally, causing a major surge in email-borne threats
• It led to widespread email outages, corporate IT disruptions, and millions of infected messages daily
• Some spoofed messages even claimed to be virus removal tools, luring users into launching them

---

3. Targets and Impact

Targeted Victims and Sectors:

• Individual Windows users and corporate environments
• Targets were indiscriminate — Klez relied on volume and trickery, not selectivity

Consequences:

• Email server congestion and major slowdowns
• Users’ machines being used to send infected messages to contacts
• Disabling of antivirus programs, leaving systems vulnerable to other infections
• Occasional file corruption or dropped viruses depending on the variant

---

4. Technical Details

Payload Capabilities:

• Harvests email addresses from local files
• Spoofs sender email addresses
• Sends mass emails with attachments and various fake subject lines
• In some variants:
  • Disables popular antivirus software
  • Writes files with non-standard extensions to bypass filters
  • Drops other malware (e.g., Elkern)

Evasion Techniques:

• Polymorphic engine that changes code structure in every copy
• Uses misleading filenames and random subjects
• Exploits Outlook preview pane vulnerability, enabling infection without user interaction
• Disables AV software by terminating processes or modifying registry keys

---

5. Preventing Klez Infections

Best Practices (then and now):

• Never open attachments from unknown or unexpected sources
• Patch email clients and browsers — especially Internet Explorer and Outlook
• Disable auto-preview and script execution in email clients
• Use email filtering to block executable attachments
• Educate users about email spoofing and phishing tactics

Recommended Security Tools:

• Antivirus with heuristic and polymorphic detection
• Email gateways that scan for known malware signatures and block suspicious attachments
• Endpoint protection with behavioral monitoring
• OS-level protections to restrict scripting and executable launching from email clients

---

6. Detecting and Removing Klez

Indicators of Compromise (IoCs):

• Suspicious outbound email traffic using spoofed sender addresses
• Files like winklez.exe, klez.exe, or randomly named executables in system directories
• Registry keys pointing to Klez executables
• Antivirus disabled or system behavior degraded
• Strange email replies about viruses the user never sent

Removal Steps:

1. Run a fully updated antivirus scanner
2. Delete Klez binaries and associated registry entries
3. Restore disabled antivirus services or reinstall them
4. Clear temporary folders and review email queues
5. Notify contacts if spoofed messages were sent from your address

Professional Help:
If systems were heavily infected or AV was fully disabled, a managed incident response team or IT professional should assist with cleanup and restoration.

---

7. Response to a Klez Infection

Immediate Steps:

• Disconnect infected machines from the internet
• Notify affected users and advise caution about incoming spoofed emails
• Remove malware and check for residual threats like Elkern
• Re-enable and update security software
• Alert email administrators to filter or block Klez-variant messages

---

8. Legal and Ethical Implications

Legal Considerations:
Klez infections caused millions of dollars in damages globally but were not tied to an identifiable threat actor. Its propagation would now be prosecuted under cybercrime laws, including unauthorized access, system impairment, and identity spoofing.

Ethical Considerations:
Klez exploited human trust in email communication. By mimicking friends, coworkers, and antivirus providers, it highlighted the ethical danger of blending technical trickery with social manipulation.

---

9. Resources and References

• Microsoft Security Intelligence: Win32/Klez
• F-Secure: Worm:W32/Klez.H
• CERT Advisory on Klez Variants (2002)
• MITRE ATT&CK Techniques:
  • T1566.001 (Phishing: Email Attachment)
  • T1204 (User Execution)
  • T1055 (Process Injection)

---

10. FAQs about Klez

Q: What is Klez?
A mass-mailing Windows worm that spreads via email and shared drives, using spoofed messages and polymorphic code.

Q: How did Klez spread?
Through infected emails, often with attachments that triggered on open — sometimes even via preview alone.

Q: Was Klez destructive?
Mostly disruptive. Some variants corrupted files or dropped other malware, but its main damage was email flooding and antivirus disabling.

Q: Can Klez still infect systems today?
Modern systems are protected, and the worm no longer circulates, but it remains a textbook example of early email-based threats.

---

11. Conclusion

Klez was a milestone in early 2000s malware, combining technical evasion, spoofing, and mass mailing to create a massive and prolonged global disruption. Its polymorphic nature made it hard to detect, while its deceptive emails exploited trust on a personal level. Though long since neutralized, Klez helped shape modern antivirus strategies and email security policies still in use today.

 

 

« Back to the Virus Information Library

« Back to the Security Center