WORM_KLEZ.H  (low risk)

Virus type:   Worm
Destructive:   Yes

Aliases:
W32/Klez-G, I-Worm.Klez.h, I-Worm.W32/Klez.gen@MM, W32.Klez.H@mm

Description:
This memory-resident variant of the WORM_KLEZ.A mass-mailing worm uses SMTP
to propagate via email. The subject line of the email it arrives with is
randomly selected from a list of possible choices. See Tech Details for more
information.
www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_KLEZ.H&VSect=T

Upon execution, this worm drops files and creates an entry in the AutoRun
key of the system registry. It also infects EXE files. To infect, it
encrypts (compresses) the target file and then modifies the file extension
with a random name. It also modifies the attributes of the file and sets
these to Read-only, Hidden, System, and Archive. Thereafter, this worm
copies itself to the original filename of the infected file.

This worm makes sure that its filesize is the same as that of the infected
file. To do this, it pads garbage at the end of the infected file.

This worm does not perform its Antivirus Retaliation routine on machines
running NT 4.0 or lower, due to an unavailability of system functions or
APIs it uses to kill the antivirus-related processes

Solution:
Automatic Removal Instructions
1) Please download and run the fix tool.
   www.antivirus.com/vinfo/security/fix_worm_klez_3.11.zip
   Trend Micro requests that all users download and
   read the readme text before using this tool.
   www.antivirus.com/vinfo/security/readme_worm_klez_3.11.txt