Not guilty! Klez fakes emails from anti-virus companies

Sophos Press Release

A number of customers have contacted Sophos technical support concerned that they may have received a virus via email from Sophos.

Sophos would like to reassure its customer base that we have not been infected or sent any viruses to our customers.

The recent W32/Klez-H worm uses its own SMTP engine, and can appear to have come from any email address. Some infected messages have a sender field and message text which imply that the message was sent by a major anti-virus vendor (the virus can use the names Kaspersky, F-Secure, Symantec and Trend Micro as well as Sophos).

Sophos Anti-Virus has been capable of protecting against W32/Klez-H, via detection of its earlier variant W32/Klez-G, since 7 February 2002.

Some customers have also reported receiving an unsolicited email apparently from Sophos claiming to contain disinfection tools for the W32/ElKern virus (the email mistakenly refers to the virus as "W32.Elkern"). These emails contain a copy of the W32/Klez-G worm and, again, do not originate from Sophos.

Sophos recommends that users do not open or launch unsolicited executable attachments and keep their anti-virus software updated.

Computer users are also advised to consider installing a patch from Microsoft which is reported to fix a vulnerability in some versions of Microsoft Outlook, Microsoft Outlook Express, and Internet Explorer. The vulnerability is exploited by W32/Klez-H and a number of other viruses.


More than 100 million users in 150 countries rely on Sophos’ complete security solutions as the best protection against complex threats and data loss. Simple to deploy, manage, and use, Sophos’ award-winning encryption, endpoint security, web, email, mobile and network security solutions are backed by SophosLabs - a global network of threat intelligence centers. Sophos is headquartered in Oxford, U.K., and is publicly traded on the London Stock Exchange under the symbol “SOPH.” More information is available at www.sophos.com/company.