You need to view the HEADER of the message in question - either choose VIEW/Header/ALL, or choose to view the source of the message from the pull-down menu at the top of your software.

In the example of a HEADER message below, note there are a number of "received from:" entries - the important one is the bottom-most "RECEIVED: FROM....." message, which I have made RED text.  The bottom RECEIVED FROM is the place where the message entered the internet, and all the "RECEIVED FROM's above that one are merely the paths it was relayed through on it's way through the net to the recipient (The  "TO:" in the message).   The italics below are comments I added for clarification.

The "Return-Path"  can be empty, or as in this case, it might show the person whose computer was infected or else the person sending the KLEZ on purpose.  In this example, whoever IAK at was, sent me the KLEZ worm.


Status:  U
Return-Path:  <>
Received: from ([]) by penguin (EarthLink SMTP Server) with ESMTP id
17GsCc6DJ3NZFl40 for <>; Sun, 18 Aug 2002 09:09:20 -0700 (PDT)
Received: from ([] by with smtp
(Exim 3.33 #1) id 17gSc9-0003b9-00 for; Sun, 18 Aug 2002 12:09:17 -0400
Received: from ([]) by (Earthlink Mail Service) with ESMTP id
ulvhlb.l9q.37kbpqe for <>; Sun, 18 Aug 2002 12:09:15 -0400 (EDT)
Received: from ( []) by (8.11.6/verio-periwinkle) with ESMTP id
g7IG9bd14251 for <>; Sun, 18 Aug 2002 12:09:37 -0400
Received: from ( []) by (v87.21) with ESMTP id
RELAYIN7-0818120831; Sun, 18 Aug 2002 12:08:31 -0400
Received: from Xwdf ( []) by (8.10.0/8.10.0) with SMTP id
g7IG5dk305371 for <>; Sun, 18 Aug 2002 12:05:40 -0400 (EDT)
Date: Sun, 18 Aug 2002 12:05:40 -0400 (EDT)
Message-ID:  <>
From: YOURNAMEnADDRESS.HERE>  if it was sent by KLEZ to you.
To:  SOMEONE_ELSE WILL BE HERE if it was sent to them and bounced due to bad address, or else it will be yours if someone sent it to YOU
Subject:  Dependable Service


From the Symantec website:

The worm also infects executables by creating a hidden copy of the original host file and then overwriting the original file with itself. The hidden copy is encrypted, but contains no viral data. The name of the hidden file is the same as the original file, but with a random extension.

The worm also drops the virus W32.Elkern.3587 as the file %System%\wqk.exe and executes it.

Finally, the worm has a payload. On the 6th of every odd numbered month (except January or July), the worm attempts to overwrite with zeroes files that have the extensions .txt, .htm, .html, .wab, .doc, .xls, .jpg, .cpp, .c, .pas, .mpg, .mpeg, .bak, or .mp3. If the month is January or July, this payload attempts to overwrite all files with zeroes, not just those with the aforementioned extensions.

NOTE: Variations of this message have also been seen purporting to be removal tools for W32.Klez.

For information about how Klez affects a Macintosh computer, read the document Are Macintoshes affected by the Klez virus?

What to do?  

1. Make sure you have an up-to-date antivirus software and that you have it set to scan ALL files, scan BOTH incoming and outgoing email messages. AV software is far cheaper than having to rebuild your system from the original install CD.

2. Use Zone Alarm.  There is a free (the personal) version that works great.

3. If you have to use Microsoft's  Internet Explorer and/or Outlook or Outlook Express, be sure they are ALWAYS patched and up to date. MS has this fascinating website that summarizes their security patches - the number is HUGE!

3. Save the link to this page and send it to anyone that complains to you about you having sent them a message that you didn't.

4. For a full writeup on the KLEZ worm, check Norton Symantec's virus information page

5. If you think you have the KLEZ worm, get this KLEZ REMOVAL TOOL .  (And remember that sometimes people send the KLEZ worm out on purpose and label it as a "KLEZ removal tool"! )

6. Anytime anyone sends you an attachment, be absolutely certain it isn't a worm or virus before you click on it.  If in doubt, don't click on it until you have sent a query to the sender and they have responded with a verification!