This information is for Windows computer users only; Linux and Macintosh users would find this document only of passing interest at this point in time.

   The new Klez worm (a type of "computer virus") appears to have come under the radar of many users to become the leading virus threat of today. Klez is considered a Worm because of the way it acts to duplicate itself. It is a complex software, with many different behaviors.

5/30/02
   Users of current versions of InoculateIT 6.0 Anti-Virus should have a very high degree of protection from the Klez worm. InoculateIT, part of Computer Associates's E-Trust security initiative, is in our opinion the leading anti-virus product available today. SoftProse Technology, Inc. is pleased to make InoculateIT available to quietly and effectively protect entire office networks from all forms of malicious software.
IncoculateIT 6.0 can block the Klez worm, and can disable it to cure an infected computer. The InoculateIT program does this with "brute force", renaming or moving affected files. There are custom utility programs, such as the popular FixKlez.com utility, that can actually repair programs damaged by the Klez virus. This program is available from Symantec as a free download. If you think you may be affected by the Klez virus, you may want to start by downloading and running this program:
http://securityresponse.symantec.com/avcenter/FixKlez.com.
The source page for this link is from:
http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.removal.tool.html
Please read the directions for using the FixKlez.com removal tool.

It is DIFFICULT to remove the Klez virus. You should shut the PC down for 30 seconds or more. (Power OFF.) Windows 98 users must restart into Safe Mode (repeatedly strike the F8 key [CTRL key on some systems] during startup, and choose Safe Mode from the Windows menu that appears.) The tool may crash many times while cleaning the worm.
READ THE INSTRUCTIONS if you can before attempting to use the FixKlez.com tool.
If you have reason to suspect a problem, TAKE ACTION NOW.

NOTE If you do not have good quality anti-virus software that is automatically updated frequently (we suggest setting it to check for updates every 4 hours), you stand a good chance of being affected by the Klez worm or one of its variants. If virus problems "passed you by" in the past, this worm stands a good chance of catching you by surprise. Klez has been a MAJOR virus problem for the past month, with no signs of slowing down. It may be the "worst virus ever".

Looking to purchase Anti-Virus software?
SoftProse Technology, Inc. suggests InoculateIT, both in the Personal Edition for home users, and the Workgroup or Enterprise editions for complete protection for entire offices.
There are a number of other products that can offer excellent protection from viruses, worms, and trojan horses.

The Klez Worm has many "Features". These include
1) The Klez virus will adopt a RANDOM return address as the return address on outgoing Email. Email messages with Klez attached are not necessarily from infected computers- the Email is sent with a randomly selected return address, almost certainly different from the user's computer that is actually sending the message. Thousands of messages may be sent with a perfectly innocent, and random, "From..." line. (Don't believe who sent you the Klez virus actually has it!)
From the virus author's standpoint, this makes it much harder to discover. ("YOU have the virus! No, I don't? Then who does?") From a user's standpoint, users will find themselves accusing people of sending out the virus who are perfectly innocent. They don't have the virus, the virus just picked their Email address as the return address from among all the addresses on the computer that was infected.
2) Klez is a "Program Snatcher". It reproduces by imitating an existing "exe" program on your computer; the actual "EXE" software is then compressed and renamed. There is no way to tell the "fake" program from the original program. When you run the program that was "taken over" (such as Access, or Outlook), the virus actually runs. It then opens and runs the compressed and renamed EXE file, which makes it look like the program is running normally.
3) It has its own SMTP server, so it does not need your Email program to "send mail". It has its own.
4) It will infect network shares, so if one user on an office network gets the Worm, everyone can get it. You don't need to have Email or even a connection to the Internet. If one computer gets infected, and there are shared folders (as with a Fileserver), all users on the network may become infected. (It is especially important, as shown by this example, to protect Server computers.)
5) The virus will search your hard disk for anything that even looks like an Email address, and will assemble it's own "address book" for sending mail.
6) The worm tries to fake people out with a "Human Interface" on some (not all) Emails. (The message changes randomly.) Below is one message the virus may send
"Klez.E is the most common world-wide spreading worm.It's very dangerous by corrupting your files. Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it. We developed this free immunity tool to defeat the malicious virus. You only need to run this tool once,and then Klez will never come into your PC. NOTE Because this tool acts as a fake Klez to fool the real worm,some AV monitor maybe cry when you run it. If so,Ignore the warning,and select 'continue'. If you have any question,please mail to me."
7) Instructions for creating your very own Klez virus seem to have been widely distributed. There are currently over 8 major variants found, and more are appearing every day. The worm is mutating; a defense today may not be a defense tomorrow. Your anti-virus software should be set to check for updates frequently over the Internet- Our installations of InoculateIT are normally set to check for updates every 4 hours.
8) The email attachment the program sends out to distribute itself to new victims includes an actual data file or document from your computer. Needless to say, this can be a tremendous security risk.
9) The virus is difficult to remove without leaving damaged programs behind. InoculateIT does an excellent job of stopping Klez from running, but does not repair damaged programs if the infection has already taken hold.
The FixKlez.com tool from Symantec is perhaps the best tool for repairing the damage done by the worm. Before running the FixKlez.com tool, you should read the instructions from the download site:
http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.removal.tool.html
The FixKlez tool can be downloaded from: http://securityresponse.symantec.com/avcenter/FixKlez.com.
You should start by shutting down the power for 30 seconds or more first to clear the virus from memory. (The instructions are emphatic about this. Somehow this software may be able to survive turning off the computer.) For Windows 98, boot into Safe Mode. (Press F8 [or CTRL key on some systems] repeatedly as the computer starts up to see the Windows Startup Menu, and choose Safe Mode as an option.) Running the FixKelz.com tool should kill the worm, but may require multiple attempts as the program may crash repeatedly as the worm is removed. Programs that were taken over by the worm may or may not be healed; many programs are damaged by the worm and/or the subsequent removal process and must be restored from original disks.
All and all, this can be a very tough program to remove without leaving significant damage behind.

Klez is serious, and must be eliminated as soon as it is noted.

For more information on the Klez virus, see
http://www3.ca.com/solutions/collateral.asp?CT=65&ID=1705
http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.h@mm.html
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_KLEZ.H

Virus Defenses  Anti-Virus Proposal  Virus Alert  Virus Hoax?  Free Anti-Virus  Spyware & Adware  Phishing- Email Con

Virus Defenses  Anti-Virus Proposal  Virus Alert  Virus Hoax?  Free Anti-Virus  Spyware & Adware  Phishing- Email Con

Virus Defenses  Anti-Virus Proposal  Virus Alert  Virus Hoax?  Free Anti-Virus  Spyware & Adware  Phishing- Email Con

Virus Defenses  Anti-Virus Proposal  Virus Alert  Virus Hoax?  Free Anti-Virus  Spyware & Adware  Phishing- Email Con

Virus Defenses  Anti-Virus Proposal  Virus Alert  Virus Hoax?  Free Anti-Virus  Spyware & Adware  Phishing- Email Con