This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Indication of Infection
1) The worm interferes with running programs and frequently displays a fake error message:
Note - the name displayed is random but is always an EXE.
2) Alien WINKxxx.EXE files in \WINDOWS\SYSTEM folder (ex., WINKIDT.EXE or WINKKR.EXE).
3) Reference to a WINKxxx.EXE file (and "xxx" looks random) in a registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run or HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
4) Executable files have "companions" of about the same size and random extension (ex., apart from MSOFFICE.EXE you may have MSOFFICE.HRH which is a hidden system file). On top of that if you run an infected file you will temporarily have a third file with "~1" in the name (ex., NETSCAPE.EXE will not only have NETSCAPE.PXB but also NETSCA~1.EXE of exactly the same size as NETSCAPE.EXE). This third file is a reconstructed host and it is deleted by the worm once you quit the program.
5) This worm also causes serious system performance degradation and some programs stop running.
Methods of Infection
When the Email is opened the worm immediately activates using mentioned vulnerability (previewing the message may be enough if your system is not patched). The worm copies itself under WINKxxx.EXE name (where xxx are random characters) into the WINDOWS\SYSTEM folder (can be different if your installation is not a default one) and this file is set to run every time the system starts.
W32/Klez.e@MM is based on the W32/Klez.gen@MM but unlike its predecessors this variant can itself infect files (on top of being able to also drop W95/Elkern.cav.b virus). W32/Klez.e@MM worm overwrites files and they are padded with zeroes to the original uninfected host size. The worm saves original contents of the hosts in files with the same name and random extension. These files are "Hidden" and "System" (to be able to see them you need to change "View/Folder Options" in Windows Explorer by selecting "Show all files").
Running infected files causes the worm to reconstruct the uninfected host file using saved data. Such reconstructed files will have "~1" appended to the name (ex., infected MSOFFICE.EXE will be accompanied by an uninfected MSOFFI~1.EXE). The worm deletes them as soon as the program stops running so they exist only temporarily.
W32/Klez.e@MM sends itself out using SMTP protocol. It harvests the Windows address book for email addresses.
The virus may save a copy of itself into .RAR archives.
There is a date-activated payload associated with this threat. On the 6th day of March, May, September, or November, the virus may overwrite local and network files containing the following extensions with zeros: .txt, .htm, .html, .wab, .doc, .xls, .jpg, .cpp, .c, .pas, .mpg, .mpeg, .bak, or .mp3.
If the month is January or July, all files may be overwritten. This behavior was not observed in a lab environment.
I-Worm/Klez.E (AVP), W32.Klez.E@mm (Symantec), W32/Klez.F (Panda), Win32.HLLM.Klez.1 (DrWeb), Worm/Klez.E (H+BEDV), WORM_KLEZ.E (Trend)