Klez-E: Sophos users are protected

Sophos Press Release

Media reports and announcements from various anti-virus vendors have warned that the W32/Klez-E worm will initiate a destructive payload today, 6 March.

On the sixth day of any odd numbered month (in other words, January, March, May, July, September and November) the worm triggers its payload.

On the sixth of March, May, September and November the worm overwrites files with the following extensions: .TXT, .HTM, .HTML, .WAB, .DOC, .XLS, .JPG, .C, .PAS, .MPG, .MPEG, .BAK and .MP3.

On the sixth of January or July the W32/Klez-E worm overwrites all files.

Because of its destructive payload, W32/Klez-E has attracted a lot of attention from the media. However, Sophos first published protection against W32/Klez-E on 17 January 2002, and it is built into Sophos Anti-Virus version 3.55 (March 2002). As such, customers who have kept their anti-virus protection up to date should have nothing to fear from W32/Klez-E.

Coincidentally, today is the 10th anniversary of the Michelangelo virus scare which dominated news headlines on 6 March 1992.


More than 100 million users in 150 countries rely on Sophos’ complete security solutions as the best protection against complex threats and data loss. Simple to deploy, manage, and use, Sophos’ award-winning encryption, endpoint security, web, email, mobile and network security solutions are backed by SophosLabs - a global network of threat intelligence centers. Sophos is headquartered in Oxford, U.K., and is publicly traded on the London Stock Exchange under the symbol “SOPH.” More information is available at www.sophos.com/company.