ARCHIVED: What is the Klez worm, and why have I gotten a message telling me I have sent it?

Like certain other worms (e.g., Sobig), the Klez worm randomly selects addresses from an infected computer's address book and other files and uses them in the email messages it generates. Additionally, these worms forge ("spoof") the "From:" fields of the messages they send out. When Microsoft Forefront, the antivirus program that Indiana University uses to protect the Exchange servers, finds one of these worms in an email message internal to the IU mail system, it automatically sends a warning to the email address appearing in the "From:" field. However, since that field has been spoofed, the warning message goes to an address other than that of the sending (infected) computer.

Therefore, if you receive a message from Microsoft Forefront saying that you sent this worm, it is possible that the infected message did not actually come from your computer. However, to be safe, you should scan your computer with antivirus software, making sure you have the latest virus patterns update. For information on updating Symantec/Norton AntiVirus, see ARCHIVED: For Symantec virus protection software, what are my options for updating the virus definitions?

Note: Some Klez variants attempt to disable virus scanning software by removing startup registry keys and deleting checksum database files. Symantec has developed a Klez removal tool for several of these variants. If you suspect that your computer might have been infected, visit this site to download the tool:

  http://www.symantec.com/security_response/writeup.jsp?docid=2002-041812-3406-99

You can find additional information on the Klez worm at the following address:

  http://www.symantec.com/security_response/writeup.jsp?docid=2002-041714-3225-99