Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.


Threat LevelHigh threat
DistributionNot widespread
Common name:Klez.I
Technical name:W32/Klez.I
Threat level:Medium
Alias:W32/Klez.gen@MM,, W32/Klez.G@mm, W32/Klez.K-mm, WORM_KLEZ.G, W32/Klez.H

It steals and sends out confidential information, drops the Elkern.C virus, kills processes and deletes files.

Affected platforms:

Windows XP/2000/NT/ME/98/95

First detected on:April 17, 2002
Detection updated on:Oct. 31, 2007
Proactive protection:
Yes, using TruPrevent Technologies

Brief Description 


Klez.I is a worm that reaches computers in an e-mail message with a variable subject.

It is very easy to become infected by this worm, as it is automatically activated when the message is viewed through Outlook's Preview Pane. It does this by exploiting a vulnerability in Internet Explorer (versions 5.01 and 5.5), which allows e-mail attachments to be automatically run.

Klez.I is very dangerous because:

  • It automatically and rapidly spreads to all the contacts in Outlook's Address Book.
  • It camouflages itself by changing the sender and subject of the messages it sends out.
  • It selects files (which could contain confidential informatiom) at random from the affected computer and sends them to third-parties.
  • It deletes certain files.
  • It drops the W32/Elkern.C virus in the affected computer.

Visible Symptoms 


Klez.I is difficult to recognize, as it reaches the computer in an e-mail message with variable characteristics. Most common subjects are:

  • A powful tool
  • Worm Klez.E immunity
  • A funny website

Klez.I is characterized by its ability to modify the subjects of the messages it sends out. This makes it particularly difficult to identify the worm as it reaches the computer via e-mail. In order to generate the subjects, it uses the following:

  • Words included in its code.
  • Texts found in files on the affected computer.

For more information, consult the section Means of transmission.