FRISK Software International

Summary of W32/Klez.H@mm
Alias:I-Worm.Klez.H, W32/Klez.H
Infectable objects: PE files
Discovered: 17 Apr 2002
Definition files: 17 Apr 2002
Risk Level: High
Payload: Drops Elkern.C
Jump to:
Brief description

Brief Description

A new variant of the Klez virus has started spreading rapidly. This new variant is called Klez.H@mm and seems to be originating from Asia.

This new variant is spreading much faster than its predecessors and is both a companion virus and a worm. Klez.H@mm also drops a new virus on an infected machine, called Elkern.C.

It sends out e-mail spreading itself with random subjects and randomly named attachment. Klez.H@mm seem to be very similar to its predecessors with the exceptions that a .PDF ending has been added to the list it uses for making double extensions and that Klez.H has no payload routine itself.

Klez.H occasionally uses a social engineering trick that the other variants did not use. It then spreads through an e-mail message disguised as a cleaning tool for Klez.E. The subject line of these messages is 'Worm Klez.E immunity' and the body states that the attachment contains a special tool for defeating Klez.E. It even warns the recipient that some anti-virus products might trigger on the 'tool', but asks users to ignore the warning.

F-Prot Antivirus™ version 3.12 using virus signature files from the 17th of April detects Klez.H@mm.

FRISK Software International's Viruslab Team

Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:


perComp Verlag
(in German)