*************************************************************************** FIX_KLEZ (version 3.11) Trend Micro, Inc. http://www.antivirus.com *************************************************************************** I. File List o FIX_KLEZ.COM - fix tool for WORM_KLEZ (.A, .B, .C, .E, .I, and .G variants) and PE_ELKERN (.A, .B, and .D variants) o README_KLEZ.TXT - this readme file II. How to Use ** IMPORTANT NOTE : This tool only removes WORM_KLEZ (.A, .B, .C, .E, .I, .G variants) and PE_ELKERN (.A, .B, and .D variants) infected processes/services, registry entries, and currently running dropped files, therefore the only way to fully clean the system is to run this tool, reboot the system, run our tool again, and use our virus scanner to detect and delete files detected as WORM_KLEZ (.A, .B, .C, .E, .I , and .G variants) and clean files detected as PE_ELKERN (.A, .B, and .D variants). This virus may infect system files used by Windows or any other applications, thus deleting these files may cause Windows or other applications to malfunction. For Windows 95/98/ME: 1. Before using this tool, users, specifically those with Internet Explorer (IE) versions 5.01 and 5.5 installed, are advised to install the patches provided by Microsoft. Links and descriptions to these patches are avaialable at the end of this document. Scan and Clean PE_ELKERN (.A, .B, and .D variants) infected files: 2. Create Emergency Rescue Disk (ERDs). For details on how to create an ERD, please refer to this site: http://www.antivirus.com/pc-cillin/support/edisks.htm Note: To create an ERD you will need another virus-free computer and 4-5 floppy disks. 3. Turn off the computer you suspect is infected with a virus. Do not reset or reboot because some viruses may remain intact in the computer's memory. 4. Insert disk 1 into your A:\ drive and turn on the computer. 5. Follow the on-screen prompts. 6. Type this command: A:\Pcscan /v /c /A /NOBKUP. Then follow the instructions. Note: This will scan and clean all infected files, 7. Reboot your system to Windows. Clean the system of WORM_KLEZ (.A, .B, .C, .E, .I, and .G variants): 8. Turn off all applications running in your system, including any antivirus software that may be installed, to avoid conflicts that may occur while the tool is scanning the system. 9. Disconnect the system from the network to avoid reinfection while the tool is cleaning the system. It is also recommended to run "Net Use" before running the tool in your network, and then take note of the shared folders, as this tool has an option to remove these netshares. 10. Place FIX_KLEZ.COM in a temporary directory or folder. 11. Open a Command Prompt (MS-DOS Prompt) and proceed to the directory where the tool was copied. Type: FIX_KLEZ.COM Note: There are times when you may need to re-execute the tool after rebooting. Please take note of the messages after running the fix tool. 12. Enable all antivirus software that is installed and perform a manual scan. 13. Please restore critical folders that are not used to share files outside of the computer. For Windows NT/2000: 1. Before using this tool, users, specifically those with Internet Explorer (IE) versions 5.01 and 5.5 installed, are advised to install the patches provided by Microsoft. Links and descriptions to these patches are available at the end of this document. Scan and Clean PE_ELKERN (.A, .B, and .D variants) infected files: Option 1: 2. Under NTFS file system, creating an ERD will not work. You should slave your hard disk from a 100% clean system. 3. Scan and clean the infected hard disk using the latest pattern file. 4. Boot from the infected hard disk. Option 2: 1. You need an installer of Windows 2000 2. Boot from the CD 3. Select repair, then console. This will allow you to boot from the CD and modify system file WQK.DLL. 4. Remove hidden and read only attribute through this command attrib -h -r WQK.DLL 5. Create folder WQK.DLL. 6. Reboot the machine. Clean the system from WORM_KLEZ (.A, .B, .C, .E, .I, and .G variants): 8. Turn off all applications running in your system, including any antivirus software that may be installed, to avoid conflicts that may occur while the tool is scanning the system. 9. Disconnect the system from the network to avoid reinfection while the tool is cleaning the system. It is also recommended that you run "Net Use" before running the tool in your network, and then take note of the shared folders, as this tool has an option to remove these netshares. 10. Place FIX_KLEZ.COM in a temporary directory or folder. 11. Open a Command Prompt (MS-DOS Prompt) and proceed to the directory where the tool was copied. Type: FIX_KLEZ.COM Note: There are times when you must re-execute the tool after reboot. Please take note of the messages after running the fix tool. 12. Enable all antivirus software that is installed and perform a manual scan. 13. Please restore critical folders that are not used to share files outside of the computer. III. Description This tool is designed to clean a system that was infected by WORM_KLEZ (.A, .B, .C, .E, .I, and .G variants) and PE_ELKERN (.A, .B, and .D variants). The tool supports the following features: o Scan and remove WORM_KLEZ (A, C, E, I, and G variants) and PE_ELKERN (A, B, and D variants) from memory. o Remove worm's registry entries. a. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\run\krn132 b. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\run\wqk c. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\run\WinSvc d. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\run\Wink* (where * is any randomly selected characters) Under Windows NT/2000 a. HKLM\SYSTEM\CurrentControlSet\Services\KernelSvc\ b. HKLM\SYSTEM\CurrentControlSet\Services\Krn132\ c. HKLM\SYSTEM\CurrentControlSet\Services\Wink* (where * is any randomly selected characters) Under Windows 2000 c. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs o Remove drop files. a. %systemdir%\krn132.exe b. %systemdir%\winsvc.exe c. %systemdir%\wink*.exe (where * is any randomly selected characters) under windows 95/98/ME b. %systemdir%\wqk.exe under Windows 2000 c. %systemdir%\wqk.dll IV. Parameters This tool has no parameters. Simply execute the tool by double-clicking it or by typing FIX_KLEZ.COM and press the return key. It will automatically perform the features mentioned in the Description section. V. Syntax Run FIX_KLEZ.COM without any parameter(s) or double click it from EXPLORER o Scan and remove WORM_KLEZ (.A, .B, .C, .E, .I, and .G variants) and PE_ELKERN (.A, .B, and .D variants) from memory. o Remove worm's registry entries o Remove dropped files o Stop and remove virus/worm services VI. Requirements This tool is designed to run under Windows NT/2000 and Windows 9X/ME. For this tool to execute properly under Windows NT/2000 it needs the following DLL file: o PSAPI.DLL Be sure that this file is present in the "Winnt\system32" directory. VII. Notes 1. The tool will flag a file as WORM_KLEZ (.A, .B, .C, .E, .I, and .G variants) when the file itself is an exact copy of the worm in its original form. It will delete the said file to remove it from the system. 3. FIX_KLEZ.COM is a Windows Executable file renamed to .COM to prevent it from being infected by common Win32 viruses. VIII. Known Issues 1. For WinME systems, deleted files are still in the System Restore folder due to WinME's Restore feature. When an infected file is deleted, the Restore folder of WinME will back up the file for future restoration. The user must manually delete this file in the Restore folder. Please visit the following Web site for a description and more detailed information on how to remove the contents of the _Restore folder: http://support.microsoft.com/support/kb/articles/Q263/4/55.ASP?LN=EN-US&SD=SO&FR=0 2. After rebooting, NT machines will restore the shares of ALL DEFAULT DRIVES. 3. For PE_ELKERN (.A and .B variants) infected files that currently are being used by another program, cleaning is not possible. Thus, a reboot and scan using Trend Micro's virus scanner is needed to clean these files. 4. Under Windows NT/2000, the worm registers itself as a service. When it registers itself as a service, the following registry keys are automatically created and therefore need to be deleted to prevent the worm from re-activating again: a. HKLM\SYSTEM\CurrentControlSet\Services\KernelSvc b. HKLM\SYSTEM\CurrentControlSet\Services\Krn132 c. HKLM\SYSTEM\CurrentControlSet\Services\Wink* (where * is any randomly selected characters) 5. As previously mentioned, this tool cannot clean files infected with PE_ELKERN (.A, .B, and .D variants). After running this tool, it is necessary to reboot the computer, then run Trend Micro's virus scanner to detect and clean files infected with PE_ELKERN (.A, .B, and .D variants). Other files detected as WORM_KLEZ (.A, .B, .C, .E, .I, and .G variants) can also be deleted. 6. There are instances where both the worm and the virus will drop files with random filenames and subsequently execute these files. While these files are currently running in memory, it is possible to detect any changes made to the registry entries that it created. When it detects these, it will be able to restore it again. Since this tool is not capable of detecting the PE_ELKERN (.A and .B variants) processes/services in memory, it is necessary to execute the tool again after restarting the computer to remove the virus' registry entries. Afterwards, run Trend Micro's virus scanner to scan and clean files infected with PE_ELKERN (.A and .B variants). Other detected copies of WORM_KLEZ (.A, .B, .C, .E, .I, and .G variants) may also be deleted. 7. Its virus component has the capability to infect files that Windows loads during startup. Beacuse of this, it is necessary that you use Emergency Repair Disks to scan and clean infected files. 8. Like PE_FUNLOVE.4099, the virus component PE_ELKERN (.A and .B variants) has the capability to infect all Windows execuatables including applications that Windows loads during system startup. It is necessary to strictly follow the cleaning procedures depending on your Windows platform. 9. Under Windows 2000, the virus component drops and accesses the file WQK.DLL in the Windows system directory. Because of this, this file will keep reappearing if you execute the fix tool without cleaning the infected files of PE_ELKERN (.A and .B variants). Similarly, this registry entry will be persistent to your system: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows AppInit_DLLs = "Wqk.dll" 10. WORM_KLEZ.G drops into folders like a companion virus. Example: In C:\Program\Files\Cmak with the file cmak.exe, WORM_KLEZ.G will be dropped with the filename cmak.exe and will rename the original file with cmak*.exe. When the Fix_Klez.com tool or Trend Micro's virus scanner deletes this file, the related link is broken, thus when trying to click this link in Menu Start/Programs/Administrative Tools/Connection Manager Administration Kit it points to the deleted file, cmak.exe. Windows will report a "file not found" error because the original file was renamed to cmak*.exe. You should rename the cmak*.exe to cmak.exe to correct this problem. Note: The current version of this tool does not support scanning and cleaning of the infected file. IX. Microsoft Fixes/Upgrades: 1. For those who use Internet Explorer (IE) versions 5.01 and 5.5 please use the fix for IE MIME Header Attachment Execution Vulnerability found at: X. History: version 1.00 - First release version 1.10 - Fixed bug on Windows 2000 processes Added log file Added Innoculation of the system version 1.20 - Fixed bugs Added Windows platform information in the log file version 2.00 - Included support to WORM_KLEZ.E and PE_ELKERN.B version 3.00 - Included support to WORM_KLEZ.I and PE_ELKERN.B version 3.01 - Renamed TROJ_KLEZ to WORM_KLEZ; fixed bugs in killing klez_e service; added log for klez_e version 3.02 - Modified log file format version 3.10 - Added support for variant G version 3.11 - Added support for PE_ELKERN.D XI. Others This tool has been tested under the following platforms: Windows 9x Windows ME Windows NT 4.0 Workstation and Server Windows 2000 Professional and Server XII. For more information regarding these viruses, please visit our Web site at: