To all interested parties:

My apologies if you receive multiple copies of this announcement,
but I think it deserves a wider audience.

Doug Nelson                     [log in to unmask]
Network Manager                 Ph: (517) 353-2980
Computer Laboratory   
Michigan State University

Forwarded message:

Subject: Klez virus: Next destructive date: May 6
To: [log in to unmask] (MSU Security Announce)
Date: Thu, 2 May 2002 16:56:49 -0400 (EDT)
X-Mailer: ELM [version 2.5 PL2]
Content-Length: 2130

As many of you are probably aware by now, the Klez e-mail virus/worm has
been making the rounds recently.  We have recorded a large number of
incidents involving Klez here at the Computer Laboratory.  Most of the
incidents we have logged involve student computers, but a number of
faculty/staff computers are affected as well.

The Klez worm has been challenging as well because it masquerades as
other users by using a faked "From" line.  This leads to a fair number
of misdirected complaints and/or bounced e-mail messages to users who
are not infected with the worm.  To properly identify the infected
computer, it is necessary to read through the full message headers,
in particular, the lines beginning with "Received:" (found in different
locations on different mail client programs).

I am sending this particular alert in part because of the large number
of Klez incidents we have seen, and also because the more recent
versions of this worm have a destructive behavior which is triggered on
the 6th of each odd month, making May 6 the next date with this

I would hope that most readers of the MSUSEC mailing list have up-to-date
virus protection on all computers in your area.  But you may want to
pass this notice on to your users as a reminder to ensure that virus
protections are fully in place and updated accordingly.  You should be
protected with any virus definitions dated February, 2002, or later,
but check your virus vendor web site to verify.

Some useful links on Klez:

MSU security web site:

In particular, look under "Virus Alerts" for the "Klez-E worm" page:

The Symantec web site provides a good, detailed description of the worm,
along with instructions for removal of the worm from infected computers:

  "E" variant:    http:[log in to unmask]
  "G/H" variant:  http:[log in to unmask]

Doug Nelson                     [log in to unmask]
Network Manager                 Ph: (517) 353-2980
Computer Laboratory   
Michigan State University