Win32/Klez.J Worm

Since 17 April 2002 a new variant of the Klez worm (Win32/Klez.J) has been in the wild and spreading rapidly worldwide. The NOD32 Antivirus System, version 1.246 and higher, detects the new infiltration. If you don't have the latest version, open the NOD32 Control Center and click on the "Update now" button. To ensure that NOD32 is always up to date, configure the Control Center to download updates automatically every 1 hour.

The Klez worm exploits a bug found in various versions of MS Internet Explorer and MS Outlook and Outlook Express. In particular, it takes advantage of the Microsoft IE MIME Header Attachment Execution Vulnerability, enabling the execution of a program on a target computer at the time of email preview. A description of the bug can be found at: www.securityfocus.com/bid/2524, and the corresponding bugfix at: www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp

If your computer is already infected with Klez, apply the cleaning procedure described below :

To remove Win32/Klez.J infection from your computer (including the dropped Win32/EL_Kern.C virus)

  1. For Windows 95/98/ME Operating Systems: download the file klzcln95.exe here or on this mirror
  2. For Windows NT/2000/XP Operating Systems: download the file klzclnnt.exe here or on this mirror
  3. Close all running applications
  4. Disable or quit the on-access scanner Amon
  5. Disconnect the infected computer from network and do not reconnect it before all remaining network computers have been cleaned
  6. Run the downloaded file: klzcln95.exe or klzclnnt.exe
  7. The self-extracting archive will install to: "C:\Program Files\Eset\Klez_cln" directory
  8. Mark all harddrives and click on the "Clean" button
  9. Clean every file infected with Win32/Klez worm and Win32/EL_Kern.C virus
  10. Restart your computer after cleaning is completed
  11. Scan the whole system with the downloaded utility (use "klez_cln.bat" in the above directory) again. (Do NOT use NOD32!)
  12. Delete the "C:\Program Files\Eset\Klez_cln" directory
  13. It is very likely that the worm destroyed some NOD32 files. Please use the utility fupdate.exe (common for all platforms) here or here to force an environment update, which will restore the NOD32 installation. For more information about using this utility in corporate environment, please read instructions here or here.
  14. Make sure your NOD32 is updated to the latest version of virus databases: establish the internet connection, click on the CC icon -> click on "Update now" button