h) Get the
newest virus updates. (Symantec: Norton)
updates on May 10: 1, 2,
3; you need all three files, and put them all to
your Norton directory:
e.g. C:\Program Files\Norton\
double click on the "0510i321.exe"
file.
~~~~~~~To reinstall the Microsoft Windows
Installer:
NOTE: This step only applies to Symantec programs NAV 2002 and
NIS 2001/2002 that use the Microsoft Windows Installer, .
MSI might have been damaged during the virus infection process.
To make sure that MSI is running correctly follow these steps to download
and reinstall
the program.
NOTE: If you have Windows XP and think that the Windows Installer
program has been corrupted, then you must contact Microsoft for help downloading
a new copy of the program. The downloaded version of Windows Installer 2.0
listed in these steps will not work with Windows XP.
1. Install the latest version of the Microsoft Windows Installer.
You can download the current version of the Installer by clicking the following
link.
Windows Installer 2.0 Redistributable for Windows 95, 98, and
ME
2. After downloading the installation file, run the following
command line:
c:\msi\instmsi.exe /T:c:\msi\ /C
(this assumes that you copied the file to C:\msi)
To
obtain and run the tool
NOTE: You must have
administrative rights to run this tool on Windows NT 4.0, Windows 2000, or
Windows XP.
1. Download the FixKlez.com
file from http://securityresponse.symantec.com/avcenter/FixKlez.com.
2. Save the file to a convenient location, such as your download folder or
the Windows desktop (or removable media that is known to be uninfected, if
possible).
3. To check the authenticity of the digital signature, refer to the section
The digital signature.
4. Close all programs before running the tool.
5. If you are on a network or if you have a full-time connection to the Internet,
disconnect the computer from the network and the Internet.
6. If you are running Windows Me or XP, then disable System Restore. Please
refer to the section System Restore option in Windows Me/XP for additional
details.
NOTE: If you are running
Windows Me/XP, Symantec strongly recommends that you do not skip this step.
7. Shut down the computer
and turn off the power. Wait at least 30 seconds. This is necessary to clear
the memory.
NOTE: If you are using
a laptop, you should also remove the battery and then replace it.
8. Restart the computer
in Safe mode (All operating systems except Windows NT).
9. Double-click the
FixKlez.com file to start the removal tool.
10. Click Start to begin the process, and allow the tool to run.
11. Restart the computer normally.
12. Run the removal tool again to ensure that the system is clean.
13. If you are running Windows Me/XP, then re-enable System Restore.
NOTE: The removal
procedure might be unsuccessful if Windows Me/XP System Restore was not disabled
as previously directed because Windows prevents System Restore from being
modified by outside programs. Because of this, the removal tool might fail.
14. Run LiveUpdate
to make sure that you are using the most current virus definitions.
The
digital signature
FixKlez.com is digitally signed. Symantec recommends that you use only copies
of FixKlez.com that were downloaded directly from the Symantec Security Response
download site. To check the authenticity of the digital signature, follow
these steps:
1. Go to http://www.wmsoftware.com/free.htm.
2. Download and save the Chktrust.exe file to the same folder in which you
saved FixKlez.com (for example, the C:\Downloads folder).
3. Depending on your version of Windows, do one of the following:
Click Start, point to Programs, and click MS-DOS Prompt.
Click Start, point to Programs, click Accessories, and then click Command
Prompt.
Change to the folder that contains FixKlez.com and Chktrust.exe, and then
type
chktrust -i FixKlez.com
For example, if the
file exists in the C:\Downloads folder, enter the following commands:
cd\
cd downloads
chktrust -i FixKlez.com
4. Press Enter after
you type each command. If the digital signature is valid, you will see the
following:
Do you want to install
and run "W32.Klez Fix Tool" signed on 5/2/2002 6:50 PM and distributed
by Symantec Corporation.
NOTES:
The date and time that appear in this dialog box will be adjusted to your
time zone if your computer is not set to the Pacific time zone.
If you are using Daylight Saving Time, the time that appears will be exactly
one hour earlier.
If this dialog box does not appear, do not use your copy of FixKlez.com. It
is not from Symantec.
5. Click Yes to close
the dialog box.
6. Type exit and then press Enter to close the MS-DOS session.
Virus Particulars: W32.Klez.gen@mm
W32.Klez.gen@mm
is a mass-mailing worm that searches the Windows address book
for email addresses and sends messages to all recipients that it finds.
The worm uses its own SMTP engine to send the messages.
The subject and attachment
name of incoming emails are randomly chosen. The attachment will have one
of the following extensions: .bat, .exe, .pif or .scr.
The worm exploits
a vulnerability in Microsoft Outlook and Outlook Express in an attempt to
execute itself when you open or even preview the message. Information and
a patch for the vulnerability can be found at http://www.microsoft.com/technet/security/bulletin/MS01-020.asp.
W32.Klez.gen@mm attempts to copy itself to all network shared drives that
it finds.
Depending on the variant
of the worm, the worm will drop one of the following viruses:
W32.Elkern.3326
W32.Elkern.3587
W32.Elkern.4926
which then infects the system.
Email
spoofing
Some variants of this worm use a technique known as "spoofing."
If so, the worm randomly selects an address that it finds on an infected computer.
It uses this address as the "From" address that it uses when it
performs its mass-mailing routine. Numerous cases have
been reported in which users of uninfected computers received complaints that
they sent an infected message to someone else.
For example, Linda
Anderson is using a computer that is infected with W32.Klez.E@mm; Linda is
not using an antivirus program or does not have current virus definitions.
When W32.Klez.gen@mm performs its emailing routine, it finds the email address
of Harold Logan. It inserts Harold's email address into the "From"
portion of an infected message that it then sends to Janet Bishop. Janet then
contacts Harold and complains that he sent her an infected message, but when
Harold scans his computer, Norton AntiVirus does not find anything--as would
be expected--because his computer is not infected.
If you are using a
current version of Norton AntiVirus and you have the most recent virus definitions,
and a full system scan with Norton AntiVirus set to scan all files does not
find anything, you can be confident that your computer is not infected with
this worm.
Symantec Security
Response encourages all users and administrators to adhere to the following
basic security "best practices":
Turn off and remove
unneeded services. By default, many operating systems install auxiliary services
that are not critical, such as an FTP client, telnet, and a Web server. These
services are avenues of attack. If they are removed, blended threats have
less avenues of attack and you have fewer services to maintain through patch
updates.
If a blended threat exploits one or more network services, disable, or block
access to, those services until a patch is applied.
Always keep your patch levels up-to-date, especially on computers that host
public services and are accessible through the firewall, such as HTTP, FTP,
mail, and DNS services.
Enforce a password policy. Complex passwords make it difficult to crack password
files on compromised computers. This helps to prevent or limit damage when
a computer is compromised.
Configure your email server to block or remove email that contains file attachments
that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and
.scr files.
Isolate infected computers quickly to prevent further compromising your organization.
Perform a forensic analysis and restore the computers using trusted media.
Train employees not to open attachments unless they are expecting them. Also,
do not execute software that is downloaded from the Internet unless it has
been scanned for viruses. Simply visiting a compromised Web site can cause
infection if certain browser vulnerabilities are not patched.
Virus Particulars:
W32.Klez.H@mm
W32.Klez.H@mm is a modified
variant of the worm W32.Klez.E@mm. This variant is capable of spreading by
email and network shares. It is also capable of infecting files.
Removal tool
Symantec has provided a tool to remove infections of all known variants of
W32.Klez and W32.ElKern. Click here to obtain the tool.
This is the easiest way to remove these threats and should be tried first.
Note on W32.Klez.gen@mm detections:
W32.Klez.gen@mm is a generic detection that detects variants of W32.Klez.
Computers that are infected with W32.Klez.gen@mm have most likely been exposed
to either W32.Klez.E@mm or W32.Klez.H@mm. If your computer is detected as
infected with W32.Klez.gen@mm, download and run the tool. In most cases, the
tool will be able to remove the infection.
Also Known As:
W32/Klez.h@MM, WORM_KLEZ.H, W32/Klez-G, I-Worm.Klez.h, Klez.H,
W32/Klez.H, Win32.Klez.H, WORM_KLEZ.I
Type: Worm
Virus Insertion:
This worm inserts the virus W32.Elkern.4926
as a file with a random name in the \%Program Files% folder and executes it.
NOTE: %Program Files% is a variable. The worm locates
the \Program Files folder (by default this is C:\Program Files and copies
the virus to that location.
Real
Virus! Click
here to get large picture