Win32/Klez.J Worm

Since April 17, 2002 a new variant of the Klez worm (Win32/Klez.J) has been reported in the wild and started spreading worldwide. NOD32 antivirus program, version 1.246 and higher, detects the new infiltration. Make sure your NOD32 Control Center is configured to download the updates automatically. If you don't have the latest version of NOD32 system, setup the system's Control Center and click on the "Update now" button.

The worm exploits a bug, found in various versions of the MS Internet Explorer and MS Outlook and Outlook Express. In particular, it takes advantage of the Microsoft IE MIME Header Attachment Execution Vulnerability, enabling the execution of a program on a target computer at the time of e-mail pre/view. The description of the bug can be found at: www.securityfocus.com/bid/2524, and the corresponding fix at: www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp.

If an old version of NOD32 had been installed on your computer and your computer got infected you will need to apply a cleaning procedure described below.

To remove Win32/Klez.J infection from your computer (including dropped Win32/EL_Kern.C virus)

  1. For Windows 95/98/ME Operating Systems: download the file klzcln95.exe here or on this mirror
  2. For Windows NT/2000/XP Operating Systems: download the file klzclnnt.exe here or on this mirror
  3. Close all running applications
  4. Disable or quit the on-access scanner Amon
  5. Disconnect the infected computer from network and do not reconnect it before all remaining network computers have been cleaned
  6. Run the downloaded file: klzcln95.exe or klzclnnt.exe
  7. The executed file will install itself into: "C:\Program Files\Eset\Klez_cln" directory and will execute automatically
  8. Mark all harddrives and click on the "Clean" button
  9. Have every file infected with Win32/Klez worm and Win32/EL_Kern.C virus cleaned
  10. Restart computer after completion of the cleaning
  11. Scan the whole system with downloaded utility (file "klez_cln.bat" in above directory) again (do not use NOD32!)
  12. Delete the "C:\Program Files\Eset\Klez_cln" directory
  13. It is very likely that the worm destroyed some NOD32 files. Please use the utility fupdate.exe (common for all platforms) here or here to force an environment update, which will restore the NOD32 installation. For more information about using this utility in corporate environment, please read instructions here or here.
  14. Make sure your NOD32 is updated to the latest version of virus databases: establish the internet connection, click on the CC icon -> click on "Update now" button