Win32/Klez.J Worm
Since 17 April 2002 a new variant of the Klez worm (Win32/Klez.J)
has been in the wild and spreading rapidly worldwide. The NOD32 Antivirus System,
version 1.246 and higher, detects the new infiltration. If you don't have the
latest version, open the NOD32 Control Center and click on the "Update
now" button. To ensure that NOD32 is always up to date, configure
the Control Center to download updates automatically every 1 hour.
The Klez worm exploits a bug found in various versions of MS Internet
Explorer and MS Outlook and Outlook Express. In particular, it takes advantage
of the Microsoft IE MIME Header Attachment Execution Vulnerability, enabling the
execution of a program on a target computer at the time of email preview. A description
of the bug can be found at: www.securityfocus.com/bid/2524,
and the corresponding bugfix at: www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp
If your computer is already infected with Klez, apply the cleaning
procedure described below :
To remove Win32/Klez.J infection from your
computer (including the dropped Win32/EL_Kern.C virus)
- For Windows 95/98/ME Operating Systems: download the file klzcln95.exe
here or on this mirror
- For Windows NT/2000/XP Operating Systems: download the file klzclnnt.exe
here or on this mirror
- Close all running applications
- Disable or quit the on-access scanner Amon
- Disconnect the infected computer from network and do not reconnect
it before all remaining network computers have been cleaned
- Run the downloaded file: klzcln95.exe
or klzclnnt.exe
- The self-extracting archive will install to: "C:\Program
Files\Eset\Klez_cln" directory
- Mark all harddrives and click on the "Clean"
button
- Clean every file infected with Win32/Klez worm and Win32/EL_Kern.C
virus
- Restart your computer after cleaning is completed
- Scan the whole system with the downloaded utility (use "klez_cln.bat"
in the above directory) again. (Do NOT use NOD32!)
- Delete the "C:\Program Files\Eset\Klez_cln"
directory
- It is very likely that the worm destroyed some NOD32 files. Please
use the utility fupdate.exe (common for all platforms) here
or here to force an environment
update, which will restore the NOD32 installation. For more information about
using this utility in corporate environment, please read instructions here
or here.
- Make sure your NOD32 is updated to the latest version of virus
databases: establish the internet connection, click on the CC icon -> click
on "Update now" button