Dealing with the Klez worm outbreak!

Question

I have had several people tell me that I am sending them the Klez worm. What is it and what do I do to get rid of it?

-Josh

Answer

This question was answered on May 6, 2002. Much of the information contained herein may have changed since posting.

We first warned of this worm outbreak in our weekly newsletter on April 17th and have seen a dramatic increase in the number of infected computers since Sophos, a British Anti-Virus company claims that 77.8% o all virus infections in the month of April were from the Klez worm family.

There are many variations of the Klez worm, most of which are spreading very quickly because of the way they are written They take advantage of a year old vulnerability in Outlook and Outlook Express to automatically launch when an infected message is opened or viewed via the preview pane This means un-patched versions of Outlook and Outlook Express can contract this worm without even opening the attached file.

E-mail program other than Outlook and Outlook Express are not subject to this vulnerability, but if the user opens the attached file, the same infection will occur.

The Klez worm will search your entire hard drive looking for e-mail addresses in over 20 different file types such as text files, spreadsheets, documents and address books.

Once it compiles a list of e-mail addresses, it uses its own e-mail engine to send itself to all of the addresses it finds It can also spread across networks via open shares, so a single user on a corporate network can infect the entire network.

It will generally attack anti-virus programs that have not been recently updated, rendering them useless by removing specific startup settings and the actual database file that is used to combat viruses.

It can also attack 'executable' files, which will render the programs that they infect unusable.

It uses a number of random techniques to change itself, so there are no specific signatures to watch for The subject line, the body of the text and the attached files are all randomly generated.

One of the random messages generated by the Klez.h worm is a message with an attached tool (which is actually the worm) claiming to be a fix for the Klez.e worm If you run the 'fix' that is attached, you will infect your system.

One of the variants can even 'spoof' the sender's e-mail address so that the return address is not actually the person that is infected, which is why most of us have received infected messages from very strange addresses.

So what can you do to protect yourself? First of all, make sure you have the latest security patches for Outlook or Outlook Express and Internet Explorer to fix the vulnerability You can check which security patches you are currently missing by going to windowsupdate.com.

No matter which e-mail system you use, do not open any attachments to a file unless you know exactly what is contained in the file Trust no one!

Update your anti-virus program at least once a month and even more often if you are a daily e-mail user Most programs have a way to automatically schedule updates so you won't have to remember.

You can get specific instruction for removal based on your version of Windows from the Symantec AntiVirus Research Center (www.sarc.com).

If you do have the worm, you will most likely need to reinstall any of the programs that it has attacked, once you have eradicated it from your system

If you would like to subscribe to our early warning newsletter, you can do so at >http://computerproblems.com/quikreg.cfm</b>

Need Help with this Issue?

We help people with technology! It's what we do.
Schedule an Appointment with a location for help!

Author

Posted by Ken of Data Doctors on May 6, 2002