JSI Tip 6197. How do I identify, recover from, and prevent infections from the W32.Klez worm virus?

MORE INFORMATION

Symptoms of W32.Klez Infection

• Antivirus software indicates W32.Klez.gen@mm is present.
• Programs do not function as expected or they stop unexpectedly, for example:
  • When you use Microsoft Word, the computer stops responding (hangs).
  • Microsoft Office programs such as Word and Microsoft Excel must use a converter to display the file correctly.
  • You receive the following error message when you start a program:
    
    Starting, not enough memory to start certain program
• Windows-based programs run very slowly.
• Documents do not open properly, or when they open, they do not contain all the correct information.
• You cannot start Windows Task Manager.
  
  Note To start Task Manager, right-click a blank area of the taskbar, and then click Task Manager.
• Your antivirus program no longer runs.
• A file named Krn132.exe exists in the C:\Windows\System folder.
• There is a reference to a file named Winkxxx.exe in a registry key (where xxx is a random value). To confirm this behavior:
  1. Quit all running programs.
  2. Click Start, click Run, type msconfig in the Open box, and then click OK.
  3. Click the Services tab, and then click to select the Hide All Microsoft Services check box.
  4. In the list of running services, determine if the following service is running:
     • Winkxxx, where xxx is two to three random characters appended to the word Wink, for example, Winkap, Winkzfu, or Winknwk.

Recovering from and Preventing a W32.klez Infection

1. Scan your computer with an updated antivirus program. If you do not have an antivirus program installed, Trend Micro, Inc. offers a free online virus scanning service at the following Trend Micro Web site:
   
   http://housecall.trendmicro.com/housecall/start_corp.asp
   
   
2. Run a W32.Klez removal tool. A number of antivirus vendors offer free tools to remove W32.Klez virus infections. The following list describes two ways to obtain these tools:
   • Visit the following Symantec Web site:
     
     http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.removal.tool.html
     
     
   • Download, extract, and then run the following F-Secure tool:
     
     ftp://ftp.europe.f-secure.com/anti-virus/tools/kleztool.zip
     
     
   These tools perform the following tasks:
   • They quit all processes used by the virus.
   • They delete (or repair if possible) any infected files.
   • They remove registry entries created by the virus.
   • They detect any suspicious activities or infections.
3. If you are running a version of Internet Explorer earlier than Internet Explorer 5.01 Service Pack 2 (SP2), install the update that is described at the following Microsoft Web site:
   
   Microsoft Security Bulletin MS01-020
   
   For additional information about this update, click the following article number to view the article in the Microsoft Knowledge Base:
   
   290108 Incorrect MIME Header Can Cause Internet Explorer to Run E-mail Attachment
   
   To obtain all the latest security patches, visit the following Windows Update Web site:
   
   http://windowsupdate.microsoft.com
   
   .
4. Reinstall your antivirus program (if it stopped working).
5. Make sure your antivirus software is up to date, and then re-scan your computer to make sure that the virus has been removed completely. For a list of antivirus vendors, click the article number below to view the article in the Microsoft Knowledge Base:
   
   49500 List of Antivirus Software Vendors
   
   .
6. Turn off Active Scripting in Outlook and Outlook Express.

   Outlook Express 4.x

   1. Start Outlook Express.
   2. On the Tools menu, click Options.
   3. On the Security tab, click Restricted sites zone in the Zone box, and then click Settings.
   4. When you are notified that you are about to change the security settings, click OK.
   5. Click Custom (for expert users).
   6. Click Disable under Active scripting in the Scripting area.
   7. Click OK, click OK, and then click OK.

   Outlook Express 5.x

   1. Start Outlook Express.
   2. On the Tools menu, click Options.
   3. On the Security tab, click Restricted sites zone, and then click OK.
   4. Start Internet Explorer.
   5. On the Tools menu, click Internet Options.
   6. On the Security tab, click Restricted sites, and then click Custom Level.
   7. Click Disable under Active Scripting in the Scripting area.
   8. Click OK, click Yes if you are prompted, and then click OK.

   Outlook Express 6.x

   1. Start Outlook Express.
   2. On the Tools menu, click Options.
   3. On the Security tab, under Virus Protection, click either Restricted Sites Zone (More secure) or Internet Zone (Less secure, but more functional) under Select the Internet Explorer security zone to use.
   4. Click to select the Warn me when other applications try to send mail as me check box.
   5. Click to select the Do not allow attachments to be saved or opened that could potentially be a virus check box.
   6. Click OK.

   Outlook 2000 and 2002

   1. Start Outlook.
   2. On the Tools menu, click Options.
   3. On the Security tab, click Restricted sites in the Zone box, and then click OK.
   4. Click Zone Settings.
   5. Click OK to confirm that you want to change Internet Explorer security settings.
   6. On the Security tab, click Restricted sites, and then click Custom Level.
   7. Click Disable under Active Scripting in the Scripting area.
   8. Click OK, click Yes if you are prompted, and then click OK.
   9. Click OK.
   10. Hide the Preview pane (if it is visible). To do so, click View, and then click Preview Pane.
   11. If you are using Outlook 2000 Service Pack 1 (SP1) or an earlier version of Outlook, install the Outlook E-mail Security Update. For additional information about this update, click the following article number to view the article in the Microsoft Knowledge Base:
       
       235309 Outlook E-mail Attachment Security Update