PC Hell: Klez Virus Removal Help

Klez Worm Virus Information and Removal Help

What is Klez Worm and How Did I Get It?

Klez was the most widespread virus in 2002, and continued its dominance of the virus world for 2 years. Its a mass-mailing worm that exploits a vulnerability that opens an executable attachment even in Microsoft Outlook's preview pane. More information about this vulnerability is available at Microsoft Security Bulletin and a security update is available at Microsoft's Security Update.

Klez employs a number of random actions that make it hard for many computer users to identify the virus when it arrives in their inboxes. The virus arrives in e-mails with varying subject lines, or sometimes appears to be a bounced e-mail or a tool that can purge Klez from an infected system. It spoofs the From line in the email, deceiving the recipient as to who sent them the virus.

Recipients of the virus-laden e-mails, not understanding that the "From" information is virtually always phony -- or even that they have received a virus -- have been clogging networks with angry and confused e-mails that are causing a great deal of cyber-havoc.

People signing up for newsletters and mailing lists that they never subscribed to has been a major source of frustration for both users and the list owners. If Klez happens to send an e-mail "from" a user to an e-mail list's automatic subscribe address, the list software assumes the e-mail is a valid subscription request and begins sending mail to the user.

It obtains the email addresses that it places in the FROM: field from the infected user's address book. This causes a non-infected user to appear as the person who has sent this worm's malicious email. It does this to hide the real sender of the infected email. The actual email address of the sender is found in the Envelope From field.

The subject of the email it sends is composed in a complex manner.

The subject may contain any of the following substrings:
- how are you
- let's be friends
- darling
- so cool a flash,enjoy it
- Your password
- honey
- some questions
- please try again
- welcome to my hometown
- the Garden of Eden
- introduction on ADSL
- meeting notice
- questionnaire
- congratulations
- sos!
- japanese girl VS playboy
- look,my beautiful girl friend
- eager to see you
- spice girls' vocal concert
- japanese lass' sexy pictures
- Undelivarable mail-“%s”
- Returned mail-“%s”
%s is a random string.
The subject may also be any of the following:
- a %s %s game
- a %s %s tool
- a %s %s Web site
- a %s %s patch
- %s removal tools
%s can be any of the following:
- new
- funny
- nice
- humour
- excite
- powful
- WinXP
- IE 6.0
- W32.Elkern
- W32.Klez.E
- Symantec
- Mcafee
- F-Secure
- Sophos
- Trendmicro
- Kaspersky

It gathers email addresses from the entries of the default Windows Address Book (WAB). The path and filename of these are identified in the following registry entry:

HKEY_CURRENT_USER\Software\Microsoft\
WAB\WAB4\Wab File Name = “<file and pathname of the WAB file>

The worm also gathers a list of addresses from the following files that are stored on the infected user’s computer:

EXE
SCR
PIF
BAT
TXT
HTM
HTML
WAB
DOC
RTF
XLS
JPG
CPP
C
PAS
MPG
MPEG
BAK
MP3
PDF

This worm also infects EXE files. To infect, it encrypts (compresses) the target file and then modifies the file extension with a random name. It also modifies the attributes of the file and sets these to Read-only, Hidden, System, and Archive. Thereafter, this worm copies itself to the original filename of the infected file.

This worm makes sure that its filesize is the same as that of the infected file. To do this, it pads garbage at the end of the infected file.

Similar to WORM_KLEZ.A, this new worm has several threads that accomplish its propagation and payload mechanisms. Its main features are as follows.

Dropping of PE_ELKERN.D
The worm drops a randomly named file in the ProgramFilesDir (usually C:\Program Files). Approximately 10KB in size, this program can infect files in network shared folders and disable system file protection. It can also infect EXPLORER.EXE in memory. This program is detected as PE_ELKERN.D. Oftentimes, it deletes itself after running.
- Network Infection
  This worm is capable of spreading via shared drives/folders with read/write access. To accomplish this, it enumerates all the shared resources of the network. For shared folders with read/write access, it copies itself to files with randomly generated filenames. The dropped files have the following extensions:
  - .EXE
  - .PIF
  - COM
  - BAT
  - SCR
  - RAR
  Occasionally, this worm copies itself to a random filename double extensions. The first extension name can be any of the following:
  - EXE
  - SCR
  - PIF
  - BAT
  - TXT
  - HTM
  - HTML
  - WAB
  - DOC
  - RTF
  - XLS
  - JPG
  - CPP
  - C
  - PAS
  - MPG
  - MPEG
  - BAK
  - MP3
  - PDF
  The second extension can be any of the extension names first listed.
  It then constructs the HTML mail, which contains the base64 encoded worm copy. It randomly generates the filename of the attachment.
  
  It obtains its SMTP server from the registry as follows:
  
  HKEY_LOCAL_MACHINE\Software\Microsoft
  Internet Account Manager\Accounts\, SMTP Server
  
  It then sends out to the SMTP server commands to create and send an email. The actual subject and body of the email may be randomly composed.
  
  It does not require the email receiver to open the attachment for it to execute. It uses a known vulnerability in Internet Explorer-based email clients to execute the file attachment automatically. This is also known as Automatic Execution of Embedded MIME type.
  
  The infected email contains the executable attachment registered as content-type of audio/x-wav or sometimes audio/x-midi so that when recipients view the infected email, the default application associated with audio files is opened. This is usually the Windows Media Player. The embedded EXE file cannot be viewed in Microsoft Outlook.
  
  More information about this vulnerability is available at Microsoft’s Security Bulletin.
- Antivirus Retaliation Procedure
  The worm disables the running processes, and occasionally deletes the executable files of programs associated with the following names of antivirus products:
  - _AVP32
  - _AVPCC
  - NOD32
  - NPSSVC
  - NRESQ32
  - NSCHED32
  - NSCHEDNT
  - NSPLUGIN
  - NAV
  - NAVAPSVC
  - NAVAPW32
  - NAVLU32
  - NAVRUNR
  - NAVW32
  - _AVPM
  - ALERTSVC
  - AMON
  - AVP32
  - AVPCC
  - AVPM
  - N32SCANW
  - NAVWNT
  - ANTIVIR
  - AVPUPD
  - AVGCTRL
  - AVWIN95
  - SCAN32
  - VSHWIN32
  - F-STOPW
  - F-PROT95
  - ACKWIN32
  - VETTRAY
  - VET95
  - SWEEP95
  - PCCWIN98
  - IOMON98
  - AVPTC
  - AVE32
  - AVCONSOL
  - FP-WIN
  - DVP95
  - F-AGNT95
  - CLAW95
  - NVC95
  - *SCAN* (any character can be in place of *)
  - *VIRUS* (* is any character)
  - LOCKDOWN2000
  - Norton
  - Mcafee
  - Antivir
  - TASKMGR
  The worm also scans for the above strings, and deletes them if found as values in the following registry key:
  
  HKEY_LOCAL_MACHINE\Software\Microsoft\
  Windows\CurrentVersion\Run
  
  Finally, the worm searches for and then deletes the following files:
  - ANTI-VIR.DAT
  - CHKLIST.DAT
  - CHKLIST.MS
  - CHKLIST.CPS
  - CHKLIST.TAV
  - IVB.NTZ
  - SMARTCHK.MS
  - SMARTCHK.CPS
  - AVGQT.DAT
  - AGUARD.DAT

How to Clean/Delete the Klez Worm?

The Klez worm should be cleaned from your system by using a virus removal tool offered by Symantec. Click below to read about and download the Klez virus removal tool.

http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.removal.tool.html

Because the Klez virus often disables or corrupts antivirus software running on the infected computer. You should reinstall your antivirus software after cleaning the Klez virus from your system.