Cyber Sentry Trend Micro
Your current security is already out of date
Virus Info

Get your Virus Stats
Free Online Virus Scan
Virus Alerts
Virus Tracking Center
Our System
How It Works
Services for ISP's
Virus Information
Virus Advisories
Help Section
FAQ
A Service, Not A Product
Why do you need this?
System Test
Hoax Virus Alerts
What is a Virus?
Safe Computing Guide
Glossary of Terms
More Info on Virus's
Register
End Users
Usage Policy
Marketing Resources
Logos
More
Contact Us
Jobs at Cyber Sentry
Virus Alerts By Email
Virus Information Center

WORM_KLEZ.G (medium risk)


Virus type:   Worm
Destructive:   Yes

Aliases:
KLEZ.G, W32/Klez-G, I-Worm.W32/Klez.gen@MM

Description:
This memory-resident variant of the WORM_KLEZ.A mass-mailing worm uses SMTP
to propagate via email. The subject line of the email it arrives with is
randomly selected from a list of possible choices.

Upon execution, this worm drops files and creates an entry in the AutoRun
key of the system registry.

This worm does not execute on the Windows NT platform.

Solution:

Automatic Removal Instructions
1) Please download and run the fix tool.
   www.antivirus.com/vinfo/security/fix_worm_klez.g_3.10.com
2) Cyber Sentry requests that all users download and read the
   readme text before using this tool.
   www.antivirus.com/vinfo/security/readme_worm_klez.g_3.10.txt

Manual Removal Instructions
For Windows 95 systems:
1) Restart your computer.
2) Press the F8 key when you see the message, "Starting Windows 95."

For Windows 98/Me systems:
1) Restart your computer.
2) Press the Ctrl key until your Windows 98 startup menu appears.
3) Choose the Safe Mode option then hit the Enter key.

For Windows XP systems:
1) Restart your computer.
2) When prompted, press the F8 key. If Windows XP Professional
   starts without the “Press select operating system to start” menu,
3) restart your computer.
4) Press F8 again after the Power-On Self Test is done.
5) Choose the Safe Mode option from the Windows Advanced Options Menu.

For Windows 2000 systems:
1) Restart your computer.
2) Press the F8 key, when you see the Starting Windows
   bar at the bottom of the screen.
3) Choose the Safe Mode option from the Windows 2000 Advanced Options Menu.


1) Scan your PC for viruses at
   www.antivirus.ie/index.mv?free_scan=1
   and note down all files detected as WORM_KLEZ.G.
   These infected files may are WINK*.EXE files. * is a
   random number of random characters.
2) Click Start>Run, type Regedit then hit the Enter key.
3) In the left panel, double click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>Windows
     >CurrentVersion>Run
4) In the right panel, look for and then delete these registry
    values. * is any random characters:
    ”Wink*” = ”%System%\Wink*.exe”
    ”WQK” = “%System%\Wqk.exe”
5) In the left panel, double click the following:
    HKEY_LOCAL_MACHINE>System>CurrentControl Set>Services
6) Under the Services key, look for and then delete this subkey:
    Wink*
7) Close the Registry Editor.
8) Restart the system.
9) Scan your PC for viruses at
   www.antivirus.ie/index.mv?free_scan=1
   delete all files detected as WORM_KLEZ.G.

Since this worm uses a vulnerability in HTTP-based email clients like
Microsoft Outlook and Outlook Express, please apply the latest patches:
Update to Internet Explorer 5.01 SP2
www.microsoft.com/windows/ie/downloads/recommended/ie501sp2/default.asp

Update to IE 5.5 SP2
www.microsoft.com/windows/ie/downloads/recommended/ie55sp2/default.asp

Update to IE 6.0
www.microsoft.com/windows/ie/downloads/ie6/default.asp

 

 © 2002 Cyber Sentry Ltd. All Rights Reserved
Cyber Sentry -- Application Development Sitemap 1 2 3