Klez Virus - General Information, Symptoms and Treatment

W32/Klez.I is a worm designed to propagate via e-mail by sending itself out to all the contacts found in the Address Book. The worm reaches systems as an e-mail attachment with a variable name and extension. This worm has been programmed to end certain processes as well as to delete certain files.

When W32/Klez.I is activated, it creates a file in the Windows/System folder, which turns out to be a copy of the worm. In addition, it creates another file in the Program Files folder. This file turns out to be a virus -detected as W32/Elkern.C- which infects files found in all drives available on infected systems; from A: to Z:. Moreover, the worm can disable some antivirus programs.

The Symantec site says reports the following symptoms description of the W32.Klez.E@mm virus, for example:

"Linda Anderson is using a computer that is infected with W32.Klez.E@mm Linda is not using an antivirus program or does not have current virus definitions. When W32.Klez.E@mm performs its emailing routine, it finds the email address of Harold Logan. It inserts Harold's email address into the "From:" line of an infected email that it then sends to Janet Bishop. Janet then contacts Harold and complains that he sent her infected email, but when Harold scans his computer, Norton AntiVirus does not find anything--as would be expected--because his computer is not infected."

More info at:
http://securityresponse.symantec.com/ avcenter/venc/data/w32.klez.e@mm.html

Aliases: W32/Klez.G@mm, W32/Klez.gen@MM, W32/Klez.K-mm, WORM_KLEZ.G, W32/Klez.H

W32/Klez.I is a mass-mailing worm written in Visual C++ which sends itself out to all of the contacts in the Windows Address Book (WAB). The messages sent can have variable characteristics.

The worm has been programmed to end certain processes on affected computers, as well as to delete files. Some of the files that this worm deletes may correspond to antivirus products.

This worm takes advantage of a Microsoft Internet Explorer vulnerability, already exploited by other worms, which could allow attached files to be run automatically simply by opening the corresponding message or viewing it through Outlook's preview pane.

For further information about this vulnerability and the corresponding patch visit the following Microsoft web page:

http://www.microsoft.com/technet/ security/bulletin/MS01-020.ASP

.........................................
How to Diagnose a Klez Virus Infection

You can find out if your computer is infected by taking the following steps:

Use Pandasoftware free on-line scanning tool, ActiveScan at:
http://www.pandasoftware.com
Click on the right column animated box that says:
"FREE virus check online - Panda Activescan".

For further detailed info about the Klez virus, symptoms, damages, and ways to verify its presence and to eradicate it, please refer to:

http://service.pandasoftware.es/servlet/ panda.pandaInternet.EntradaDatosInternet? operacion=EV2FichaVirus&idVirusFicha= 2646&pestanaFicha=1&idioma=2

.........................................
How to Remove and Disinfect Your Computer From the Klez Virus

Computers not connected to a network, as well as computers connected to small networks (workstations and servers)

If you have received this worm by e-mail and the antivirus detected it, please delete the message you received from the Inbox and the Deleted Items folders.

Follow the steps below to disinfect W32/Klez.I automatically.

Access this URL which is normally protected by a registration form. I am giving the direct link so that you do not have to give in your name/email to access this info:
http://www.pandasecurity.com/utilities/klez-i.htm

Dowload the PQREMOVE.COM file and save it to a directory of your choice.

Click on the file you just downloaded to run the application.
Then, follow the instructions provided. After scanning the system with PQREMOVE, your computer will be disinfected. If you have a computer network, disconnect the network cable from the workstations and servers that comprise it. In this way, you will prevent reinfection of any of these elements during the disinfection process.

NOTE: If PQRemove should not find this virus on your computer, it might be inactive or it just might not exist. If there should be any .VIR files on your computer just delete them.

Also check:
http://www.pandasoftware.es/library/ W32KlezI_en.htm

and
http://www.f-secure.com/v-descs/klez_e.shtml

.........................................
How to Remove the Klez Virus from Microsoft Windows Me systems

On Windows Millennium systems there may be the case that, after eliminating a virus, the antivirus keeps detecting it in the folder _restore over and over again, without deleting it. This situation, caused by a special feature in Windows Millennium, does not pose any dangers. However, it may rise alarm among users not used to working with the _restore folder.

Follow the steps below to remove the virus and solve this problem:

Click on Start.
Go to Configuration.
Click on Control Panel.
Double-click on System.
Click on the Performance tab.
Click on File Systems.
Click on the Troubleshooting tab.
Check the Disable System Restore checkbox.
Click on Apply.
Uncheck the Disable System Restore checkbox.
Click on Apply
Click on Accept.

You will be asked if you wish to restart the computer. Once you restart it, the virus will have been eliminated for good.