TUCoPS :: Malware :: klez.htm

How to tell if you are infected with Klez.H
The HackFix Project - Klez.H How to tell if you are Infected with Klez.H

Everyone has been receiving Klez infected emails since the infection was discovered on April 17/2002. Many readers have asked: Am I Infected? How do we check? Reviewing these questions should tell you if an infection has occurred and how far it has proceeded. As well as what steps to take.

Have you actually Executed any of the infected attached files?

No! I have deleted the emails without opening them:

1. You can not get infected by simply Receiving the infected emails.
2. Properly Configured antivirus programs that have email scanning abilities will catch this infection easily so infection to your system can not occur.
3. Email clients that are Not Microsoft related (outlook etc) can not automatically execute the infected attachment.
4. Microsoft email clients (outlook etc) If updated and preview pane disabled can not automatically execute the infected attachments.

In all cases above infection can not occur. Delete the suspect emails and run a good updated, properly configured antivirus program over the entire system including email files if applicable to verify there is no infection.

Did you preview the email with an outdated/unpatched Microsoft email client (outlook etc)?

Yes!

Then infection is most likely. Outdated or unpatched Microsoft email clients are vulnerable to the very thing this email worm depends on to spread. The preview pane in unprotected email clients provides the infection the ability to run itself without the user doing anything.
To update your Microsoft email client visit the Microsoft windows update.

Did you run/execute the infected attachment? (for non Microsoft email clients or patched Microsoft email clients)?

No!

If you opened an infected email but did NOT actually run/execute or save the infected attachment then infection has not begun.

Yes!

Opening/executing/running the attached files of the infected email will start the infection. The worm will alter some files and lie dormant until the next system reboot. If an antivirus program is run over the system at this time it may catch the infection making removal easy.

Have you executed the infected attachment And rebooted the system?

No!

Running a properly configured antivirus over the entire system including email files if applicable should be able to remove the initial infected files before complete infection can occur.

Yes!

Once the infection is in place and system reboot has occurred. The infection is active now and will send itself out to random emails via the system email client and/or windows SMTP. At this time antivirus programs have been disabled by the worm and will not operate or start up. This helps prevent the antivirus program from detecting and possibly attempting to remove the active worm as well as any future infections.

To verify the infection an Online virus scanner can be used as this worm can not affect them. It is best to use an online scan that is different from your own antivirus program. Online Virus scanners can be found here. It is best to run online virus scans with all unnecessary programs closed to help prevent false positives.


The worm is set to reinfect the system if removal is attempted improperly on each system reboot and on specific dates as set out in the worm. Complete removal is necessary to stop this worm from spreading.

For Complete removal information please see your specific antivirus site and/or these sites below that offer removal information and removal tools.

Be advised that a removal tool should be first used from your antivirus program site Before using tools from another site. If your antivirus site removal tool does not appear to work review the text (readme) information from your own program site to verify no steps have been overlooked and then try another site.



Symantec information
Symantec removal tool and additional information
Trend Micro information
Trend Micro removal tool and additional information
Mcafee information
Fsecure information
Fsecure removal tool Be sure to read the readme information In the removal tool zip before proceeding.
Norman information
Norman removal tool Be sure to read the readme information In the removal tool zip before proceeding.
Kaspersky information
Kaspersky Removal tool
Rav information
Rav removal tool and additional information
Nod32 Information

Additional Reference sites: (in random order)
Klez: Hi Mom, We're No. 1 (Wired News)
Klez: Don't Believe 'From' Line (Wired news)
Klez Worm, Not Sender, Hates You (Wired News)
Are you the Klez monster? (Cnet News)
Chernobyl virus rides Klez's coattails (Cnet news)
Chaos as 'Klez cocktails' begin to strike (Vnunet News)
Klez variant crowned virus king (Vnunet news)

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH