Real Virus! Click here to get large picture
請各位留意解救法：Information taken from http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.removal.tool.html
These are the two files that remove your virus.
a) copy the two files in disk A (floppy disk which is brand new, formatted.)
b) Boot up your computer in Safe Mood (Hold the Ctrl when your computer is booting; then choose from the menu to go to safe mood, normally option 3, is safe mood.)
c) Start--> Programs--->MS-DOS Mode
d) A:\chktrust -i FixKlez.com
f) Re-boot the computer after the scan (It will show a report.)
1. Uninstall NAV.
2. Uninstall all Symantec products, including LiveUpdate and the Symantec subscription service.
3. Reinstall the Microsoft Windows Installer (MSI). (For NAV 2002 or NIS 2001/2002.) Get it from here
4. Reinstall NAV.
h) Get the newest virus updates. (Symantec: Norton)
e.g. C:\Program Files\Norton\
double click on the "0510i321.exe" file.
~~~~~~~To reinstall the Microsoft Windows Installer:
NOTE: This step only applies to Symantec programs NAV 2002 and NIS 2001/2002 that use the Microsoft Windows Installer, .
MSI might have been damaged during the virus infection process.
To make sure that MSI is running correctly follow these steps to download
NOTE: If you have Windows XP and think that the Windows Installer program has been corrupted, then you must contact Microsoft for help downloading a new copy of the program. The downloaded version of Windows Installer 2.0 listed in these steps will not work with Windows XP.
1. Install the latest version of the Microsoft Windows Installer. You can download the current version of the Installer by clicking the following link.
Windows Installer 2.0 Redistributable for Windows 95, 98, and ME
2. After downloading the installation file, run the following command line:
c:\msi\instmsi.exe /T:c:\msi\ /C
(this assumes that you copied the file to C:\msi)
To obtain and run the tool
NOTE: You must have administrative rights to run this tool on Windows NT 4.0, Windows 2000, or Windows XP.
1. Download the FixKlez.com
file from http://securityresponse.symantec.com/avcenter/FixKlez.com.
2. Save the file to a convenient location, such as your download folder or the Windows desktop (or removable media that is known to be uninfected, if possible).
3. To check the authenticity of the digital signature, refer to the section The digital signature.
4. Close all programs before running the tool.
5. If you are on a network or if you have a full-time connection to the Internet, disconnect the computer from the network and the Internet.
6. If you are running Windows Me or XP, then disable System Restore. Please refer to the section System Restore option in Windows Me/XP for additional details.
NOTE: If you are running Windows Me/XP, Symantec strongly recommends that you do not skip this step.
7. Shut down the computer and turn off the power. Wait at least 30 seconds. This is necessary to clear the memory.
NOTE: If you are using a laptop, you should also remove the battery and then replace it.
8. Restart the computer in Safe mode (All operating systems except Windows NT).
For instructions, read the document for your operating system.
How to start Windows XP in Safe Mode.
How to start Windows 2000 in Safe mode.
How to restart Windows 9x or Windows Me in Safe Mode.: Holding Ctrl while booting up. Choose from the menu.
9. Double-click the
FixKlez.com file to start the removal tool.
10. Click Start to begin the process, and allow the tool to run.
11. Restart the computer normally.
12. Run the removal tool again to ensure that the system is clean.
13. If you are running Windows Me/XP, then re-enable System Restore.
NOTE: The removal procedure might be unsuccessful if Windows Me/XP System Restore was not disabled as previously directed because Windows prevents System Restore from being modified by outside programs. Because of this, the removal tool might fail.
14. Run LiveUpdate to make sure that you are using the most current virus definitions.
FixKlez.com is digitally signed. Symantec recommends that you use only copies of FixKlez.com that were downloaded directly from the Symantec Security Response download site. To check the authenticity of the digital signature, follow these steps:
1. Go to http://www.wmsoftware.com/free.htm.
2. Download and save the Chktrust.exe file to the same folder in which you saved FixKlez.com (for example, the C:\Downloads folder).
3. Depending on your version of Windows, do one of the following:
Click Start, point to Programs, and click MS-DOS Prompt.
Click Start, point to Programs, click Accessories, and then click Command Prompt.
Change to the folder that contains FixKlez.com and Chktrust.exe, and then type
chktrust -i FixKlez.com
For example, if the file exists in the C:\Downloads folder, enter the following commands:
chktrust -i FixKlez.com
4. Press Enter after you type each command. If the digital signature is valid, you will see the following:
Do you want to install and run "W32.Klez Fix Tool" signed on 5/2/2002 6:50 PM and distributed by Symantec Corporation.
The date and time that appear in this dialog box will be adjusted to your time zone if your computer is not set to the Pacific time zone.
If you are using Daylight Saving Time, the time that appears will be exactly one hour earlier.
If this dialog box does not appear, do not use your copy of FixKlez.com. It is not from Symantec.
5. Click Yes to close
the dialog box.
6. Type exit and then press Enter to close the MS-DOS session.
Virus Particulars: W32.Klez.gen@mm
W32.Klez.gen@mm is a mass-mailing worm that searches the Windows address book for email addresses and sends messages to all recipients that it finds. The worm uses its own SMTP engine to send the messages.
The subject and attachment name of incoming emails are randomly chosen. The attachment will have one of the following extensions: .bat, .exe, .pif or .scr.
The worm exploits
a vulnerability in Microsoft Outlook and Outlook Express in an attempt to
execute itself when you open or even preview the message. Information and
a patch for the vulnerability can be found at http://www.microsoft.com/technet/security/bulletin/MS01-020.asp.
W32.Klez.gen@mm attempts to copy itself to all network shared drives that it finds.
Depending on the variant of the worm, the worm will drop one of the following viruses:
which then infects the system.
Some variants of this worm use a technique known as "spoofing." If so, the worm randomly selects an address that it finds on an infected computer. It uses this address as the "From" address that it uses when it performs its mass-mailing routine. Numerous cases have been reported in which users of uninfected computers received complaints that they sent an infected message to someone else.
For example, Linda Anderson is using a computer that is infected with W32.Klez.E@mm; Linda is not using an antivirus program or does not have current virus definitions. When W32.Klez.gen@mm performs its emailing routine, it finds the email address of Harold Logan. It inserts Harold's email address into the "From" portion of an infected message that it then sends to Janet Bishop. Janet then contacts Harold and complains that he sent her an infected message, but when Harold scans his computer, Norton AntiVirus does not find anything--as would be expected--because his computer is not infected.
If you are using a current version of Norton AntiVirus and you have the most recent virus definitions, and a full system scan with Norton AntiVirus set to scan all files does not find anything, you can be confident that your computer is not infected with this worm.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":
Turn off and remove
unneeded services. By default, many operating systems install auxiliary services
that are not critical, such as an FTP client, telnet, and a Web server. These
services are avenues of attack. If they are removed, blended threats have
less avenues of attack and you have fewer services to maintain through patch
If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
Virus Particulars: W32.Klez.H@mm
W32.Klez.H@mm is a modified variant of the worm W32.Klez.E@mm. This variant is capable of spreading by email and network shares. It is also capable of infecting files.
Symantec has provided a tool to remove infections of all known variants of W32.Klez and W32.ElKern. Click here to obtain the tool.
This is the easiest way to remove these threats and should be tried first.
Note on W32.Klez.gen@mm detections:
W32.Klez.gen@mm is a generic detection that detects variants of W32.Klez. Computers that are infected with W32.Klez.gen@mm have most likely been exposed to either W32.Klez.E@mm or W32.Klez.H@mm. If your computer is detected as infected with W32.Klez.gen@mm, download and run the tool. In most cases, the tool will be able to remove the infection.
Also Known As:
W32/Klez.h@MM, WORM_KLEZ.H, W32/Klez-G, I-Worm.Klez.h, Klez.H,
W32/Klez.H, Win32.Klez.H, WORM_KLEZ.I
This worm inserts the virus W32.Elkern.4926 as a file with a random name in the \%Program Files% folder and executes it.
NOTE: %Program Files% is a variable. The worm locates
the \Program Files folder (by default this is C:\Program Files and copies
the virus to that location.