Microsoft KB Archive/811010

= How to Identify, Recover from, and Prevent Infections from the W32.Klez Worm Virus =

PSS ID Number: 811010

Article Last Modified on 11/7/2003

-

The information in this article applies to:


 * Microsoft Windows 98
 * Microsoft Windows 98 Second Edition
 * Microsoft Windows Millennium Edition
 * Microsoft Windows NT Server 4.0
 * Microsoft Windows NT Workstation 4.0
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Professional
 * Microsoft Windows 2000 Datacenter Server
 * Microsoft Windows XP Professional
 * Microsoft Windows XP Home Edition

-



SUMMARY
This article describes how to determine if your computer is infected with the W32.Klez.gen@mm (W32.Klez) worm virus, how to recover from an infection, and how to prevent future infections with this virus.

W32.Klez is a mass-mailing worm that searches for e-mail addresses and sends messages to all the recipients that it finds. The subject and attachment name of the e-mail messages are randomly chosen. The attachment has one of the following extensions:
 * .bat
 * .exe
 * .pif
 * .scr

The worm exploits a vulnerability in Microsoft Outlook and Outlook Express that was first fixed in the following Microsoft Security Bulletin:

Microsoft Security Bulletin MS01-020

The worm tries to run itself when you open or preview the e-mail message. You do not have to open the attachment for the worm to run. For additional information about this update, click the following article number to view the article in the Microsoft Knowledge Base:

290108 Incorrect MIME Header Can Cause Internet Explorer to Run E-mail Attachment



MORE INFORMATION
Microsoft does not provide software that can detect or remove computer viruses. If you suspect or confirm that your computer is infected with a virus, obtain current antivirus software. For a list of antivirus software manufacturers, click the following article number to view the article in the Microsoft Knowledge Base:

49500 List of Antivirus Software Vendors

Symptoms of W32.Klez Infection
 Antivirus software indicates W32.Klez.gen@mm is present. Programs do not function as expected or they stop unexpectedly, for example:  When you use Microsoft Word, the computer stops responding (hangs). Microsoft Office programs such as Word and Microsoft Excel must use a converter to display the file correctly. You receive the following error message when you start a program:

Starting, not enough memory to start certain program

  Windows-based programs run very slowly.</li> Documents do not open properly, or when they open, they do not contain all the correct information.</li> You cannot start Windows Task Manager.

Note To start Task Manager, right-click a blank area of the taskbar, and then click Task Manager.</li> Your antivirus program no longer runs.</li> A file named Krn132.exe exists in the C:\Windows\System folder.</li> There is a reference to a file named Wink .exe in a registry key (where  is a random value). To confirm this behavior: <ol> Quit all running programs.</li> Click Start, click Run, type msconfig in the Open box, and then click OK.</li> Click the Services tab, and then click to select the Hide All Microsoft Services check box.</li> In the list of running services, determine if the following service is running:  Wink, where  is two to three random characters appended to the word Wink, for example, Winkap, Winkzfu, or Winknwk.</li></ul> </li></ol> </li></ul>

Recovering from and Preventing a W32.klez Infection
<ol> Scan your computer with an updated antivirus program. If you do not have an antivirus program installed, Trend Micro, Inc. offers a free online virus scanning service at the following Trend Micro Web site:

http://housecall.trendmicro.com/housecall/start_corp.asp

</li> Run a W32.Klez removal tool. A number of antivirus vendors offer free tools to remove W32.Klez virus infections. The following list describes two ways to obtain these tools:  Visit the following Symantec Web site:

http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.removal.tool.html

</li> Download, extract, and then run the following F-Secure tool:

ftp://ftp.europe.f-secure.com/anti-virus/tools/kleztool.zip

</li></ul>

These tools perform the following tasks: <ul> <li>They quit all processes used by the virus.</li> <li>They delete (or repair if possible) any infected files.</li> <li>They remove registry entries created by the virus.</li> <li>They detect any suspicious activities or infections.</li></ul> </li> <li>If you are running a version of Internet Explorer earlier than Internet Explorer 5.01 Service Pack 2 (SP2), install the update that is described at the following Microsoft Web site:

Microsoft Security Bulletin MS01-020

For additional information about this update, click the following article number to view the article in the Microsoft Knowledge Base:

290108 Incorrect MIME Header Can Cause Internet Explorer to Run E-mail Attachment

To obtain all the latest security patches, visit the following Windows Update Web site:

http://windowsupdate.microsoft.com

.</li> <li>Reinstall your antivirus program (if it stopped working).</li> <li>Make sure your antivirus software is up to date, and then re-scan your computer to make sure that the virus has been removed completely. For a list of antivirus vendors, click the article number below to view the article in the Microsoft Knowledge Base:

49500 List of Antivirus Software Vendors

.</li> <li> Turn off Active Scripting in Outlook and Outlook Express.

Outlook Express 4.x
<ol style="list-style-type: lower-alpha;"> <li>Start Outlook Express.</li> <li>On the Tools menu, click Options.</li> <li>On the Security tab, click Restricted sites zone in the Zone box, and then click Settings.</li> <li>When you are notified that you are about to change the security settings, click OK.</li> <li>Click Custom (for expert users).</li> <li>Click Disable under Active scripting in the Scripting area.</li> <li>Click OK, click OK, and then click OK.</li></ol>

Outlook Express 5.x
<ol style="list-style-type: lower-alpha;"> <li>Start Outlook Express.</li> <li>On the Tools menu, click Options.</li> <li>On the Security tab, click Restricted sites zone, and then click OK.</li> <li>Start Internet Explorer.</li> <li>On the Tools menu, click Internet Options.</li> <li>On the Security tab, click Restricted sites, and then click Custom Level.</li> <li>Click Disable under Active Scripting in the Scripting area.</li> <li>Click OK, click Yes if you are prompted, and then click OK.</li></ol>

Outlook Express 6.x
<ol style="list-style-type: lower-alpha;"> <li>Start Outlook Express.</li> <li>On the Tools menu, click Options.</li> <li>On the Security tab, under Virus Protection, click either Restricted Sites Zone (More secure) or Internet Zone (Less secure, but more functional) under Select the Internet Explorer security zone to use.</li> <li>Click to select the Warn me when other applications try to send mail as me check box.</li> <li>Click to select the Do not allow attachments to be saved or opened that could potentially be a virus check box.</li> <li>Click OK.</li></ol>

Outlook 2000 and 2002
<ol style="list-style-type: lower-alpha;"> <li>Start Outlook.</li> <li>On the Tools menu, click Options.</li> <li>On the Security tab, click Restricted sites in the Zone box, and then click OK.</li> <li>Click Zone Settings.</li> <li>Click OK to confirm that you want to change Internet Explorer security settings.</li> <li>On the Security tab, click Restricted sites, and then click Custom Level.</li> <li>Click Disable under Active Scripting in the Scripting area.</li> <li>Click OK, click Yes if you are prompted, and then click OK.</li> <li>Click OK.</li> <li>Hide the Preview pane (if it is visible). To do so, click View, and then click Preview Pane.</li> <li>If you are using Outlook 2000 Service Pack 1 (SP1) or an earlier version of Outlook, install the Outlook E-mail Security Update. For additional information about this update, click the following article number to view the article in the Microsoft Knowledge Base:

235309 Outlook E-mail Attachment Security Update

</li></ol> </li></ol>

<div class="references_section">

Mcafee
http://vil.nai.com/vil/content/v_99455.htm

http://vil.nai.com/vil/content/v_99367.htm

http://vil.nai.com/vil/content/v_99237.htm

Norman
http://www.norman.com/virus_info/w32_klez_a_mm.shtml

Symantec
http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.h@mm.html

http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.e@mm.html

http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.a@mm.html

F-secure
http://www.europe.f-secure.com/v-descs/klez_h.shtml

http://www.europe.f-secure.com/v-descs/klez_e.shtml

Sophos
http://www.sophos.com/virusinfo/analyses/w32klez.html

http://www.sophos.com/virusinfo/analyses/w32kleze.html

Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

Additional query words: W32/Klez.e@MM, W32/Klez.h@MM, W32/Klez.gen@MM, WORM_KLEZ.E, WORM_KLEZ.G, I-Worm.Klez.e, I-Worm.Klez.h, W32/Klez-E, W32/Klez-G, W32/Klez-H Klaz TROJ_KLEZ.C W32.Klez.D@mmW32/Klez W32/Klez.a@MM W32/Klez.b@MM W32/Klez.dam W32/Klez.eml W32/Klez@MM Win32.Klez.D@mm

Keywords: kbinfo KB811010

Technology: kbwin2000AdvServ kbwin2000AdvServSearch kbwin2000DataServ kbwin2000DataServSearch kbwin2000Pro kbwin2000ProSearch kbwin2000Search kbwin2000Serv kbwin2000ServSearch kbWin98 kbWin98SE kbWin98search kbWin98SEsearch kbWinAdvServSearch kbWinDataServSearch kbWinME kbWinMEsearch kbWinNT400search kbWinNTS400 kbWinNTS400search kbWinNTsearch kbWinNTSsearch kbWinNTW400 kbWinNTW400search kbWinNTWsearch kbWinXPHome kbWinXPHomeSearch kbWinXPPro kbWinXPProSearch kbWinXPSearch

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© 2004 Microsoft Corporation. All rights reserved.