JSI Tip 6197. How do I identify, recover from, and prevent infections from the W32.Klez worm virus?

Jerold Schulman

January 8, 2003

6 Min Read
ITPro Today logo in a gray background | ITPro Today

NOTE: The text in the following Microsoft Knowledge Base article is provided so that the site search can find this page. Please click the Knowledge Base link to insure that you are reading the most current information.

Microsoft Knowledge Base article Q811010 contains:

SUMMARY

This article describes how to determine if your computer is infected with the W32.Klez.gen@mm (W32.Klez) worm virus, how to recover from an infection, and how to prevent future infections with this virus.

W32.Klez is a mass-mailing worm that searches for e-mail addresses and sends messages to all the recipients that it finds. The subject and attachment name of the e-mail messages are randomly chosen. The attachment has one of the following extensions:

  • .bat

  • .exe

  • .pif

  • .scr

The worm exploits a vulnerability in Microsoft Outlook and Outlook Express that was first fixed in the following Microsoft Security Bulletin:
Microsoft Security Bulletin MS01-020
The worm tries to run itself when you open or preview the e-mail message. You do not have to open the attachment for the worm to run. For additional information about this update, click the following article number to view the article in the Microsoft Knowledge Base:
290108 Incorrect MIME Header Can Cause Internet Explorer to Run E-mail Attachment

MORE INFORMATION

Microsoft does not provide software that can detect or remove computer viruses. If you suspect or confirm that your computer is infected with a virus, obtain current antivirus software. For a list of antivirus software manufacturers, click the following article number to view the article in the Microsoft Knowledge Base:
49500 List of Antivirus Software Vendors

Symptoms of W32.Klez Infection

  • Antivirus software indicates W32.Klez.gen@mm ispresent.

  • Programs do not function as expected or they stopunexpectedly, for example:

    • When you use Microsoft Word, the computer stops responding (hangs).

    • Microsoft Office programs such as Word and Microsoft Excel must use a converter to display the file correctly.

    • You receive the following error message when you start a program: Starting, not enough memory to start certain program

  • Windows-based programs run very slowly.

  • Documents do not open properly, or when they open, they donot contain all the correct information.

  • You cannot start Windows Task Manager.

    Note To start Task Manager, right-click a blank area of the taskbar,and then click Task Manager.

  • Your antivirus program no longer runs.

  • A file named Krn132.exe exists in the C:WindowsSystemfolder.

  • There is a reference to a file namedWinkxxx.exe in a registry key (wherexxx is a random value). To confirm this behavior:

    1. Quit all running programs.

    2. Click Start, click Run, type msconfig in the Open box, and then click OK.

    3. Click the Services tab, and then click to select the Hide All Microsoft Services check box.

    4. In the list of running services, determine if the following service is running:

      • Winkxxx, where xxx is two to three random characters appended to the word Wink, for example, Winkap, Winkzfu, or Winknwk.

Recovering from and Preventing a W32.klez Infection

  1. Scan your computer with an updated antivirus program. Ifyou do not have an antivirus program installed, Trend Micro, Inc. offers a freeonline virus scanning service at the following Trend Micro Web site:
    http://housecall.trendmicro.com/housecall/start_corp.asp

  2. Run a W32.Klez removal tool. A number of antivirus vendorsoffer free tools to remove W32.Klez virus infections. The following listdescribes two ways to obtain these tools:

    These tools perform the following tasks:

    • They quit all processes used by the virus.

    • They delete (or repair if possible) any infected files.

    • They remove registry entries created by the virus.

    • They detect any suspicious activities or infections.

  3. If you are running a version of Internet Explorer earlierthan Internet Explorer 5.01 Service Pack 2 (SP2), install the update that isdescribed at the following Microsoft Web site:
    MicrosoftSecurity Bulletin MS01-020
    For additional information about this update, click the following article number to view the article in the Microsoft Knowledge Base:
    290108 Incorrect MIME Header Can Cause Internet Explorer to Run E-mail Attachment
    To obtain all the latest security patches, visit thefollowing Windows Update Web site:
    http://windowsupdate.microsoft.com
    .

  4. Reinstall your antivirus program (if it stoppedworking).

  5. Make sure your antivirus software is up to date, and thenre-scan your computer to make sure that the virus has been removed completely.For a list of antivirus vendors, click the article number below to view thearticle in the Microsoft Knowledge Base:
    49500 List of Antivirus Software Vendors
    .

  6. Turn off Active Scripting in Outlook and Outlook Express.

    Outlook Express 4.x

    1. Start Outlook Express.

    2. On the Tools menu, click Options.

    3. On the Security tab, click Restricted sites zone in the Zone box, and then click Settings.

    4. When you are notified that you are about to change the security settings, click OK.

    5. Click Custom (for expert users).

    6. Click Disable under Active scripting in the Scripting area.

    7. Click OK, click OK, and then click OK.

    Outlook Express 5.x

    1. Start Outlook Express.

    2. On the Tools menu, click Options.

    3. On the Security tab, click Restricted sites zone, and then click OK.

    4. Start Internet Explorer.

    5. On the Tools menu, click Internet Options.

    6. On the Security tab, click Restricted sites, and then click Custom Level.

    7. Click Disable under Active Scripting in the Scripting area.

    8. Click OK, click Yes if you are prompted, and then click OK.

    Outlook Express 6.x

    1. Start Outlook Express.

    2. On the Tools menu, click Options.

    3. On the Security tab, under Virus Protection, click either Restricted Sites Zone (More secure) or Internet Zone (Less secure, but more functional) under Select the Internet Explorer security zone to use.

    4. Click to select the Warn me when other applications try to send mail as me check box.

    5. Click to select the Do not allow attachments to be saved or opened that could potentially be a virus check box.

    6. Click OK.

    Outlook 2000 and 2002

    1. Start Outlook.

    2. On the Tools menu, click Options.

    3. On the Security tab, click Restricted sites in the Zone box, and then click OK.

    4. Click Zone Settings.

    5. Click OK to confirm that you want to change Internet Explorer security settings.

    6. On the Security tab, click Restricted sites, and then click Custom Level.

    7. Click Disable under Active Scripting in the Scripting area.

    8. Click OK, click Yes if you are prompted, and then click OK.

    9. Click OK.

    10. Hide the Preview pane (if it is visible). To do so, click View, and then click Preview Pane.

    11. If you are using Outlook 2000 Service Pack 1 (SP1) or an earlier version of Outlook, install the Outlook E-mail Security Update. For additional information about this update, click thefollowing article number to view the article in the Microsoft Knowledge Base:
      235309 Outlook E-mail Attachment SecurityUpdate

REFERENCES

For additional information about this virus, click the following article number to view the article in the Microsoft Knowledge Base:
316658 OL2000: VIRUS ALERT: The w32.klez.e@mm "Klez" Virus

323037 WD: Text Is Displayed as Unreadable Symbols When You Open a Document
For information about this virus, visit the following third-party Web sites:

Mcafee


http://vil.nai.com/vil/content/v_99455.htm

http://vil.nai.com/vil/content/v_99367.htm

http://vil.nai.com/vil/content/v_99237.htm


Norman


http://www.norman.com/virus_info/w32_klez_a_mm.shtml

Symantec


http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

F-secure


http://www.europe.f-secure.com/v-descs/klez_h.shtml

http://www.europe.f-secure.com/v-descs/klez_e.shtml

Sophos




http://www.sophos.com/virusinfo/analyses/w32kleze.html
Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.



Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like