The HackFix Project - Klez.HHow to tell if you are Infected with Klez.H
Everyone has been receiving Klez infected emails since the
infection was discovered on April 17/2002. Many readers have
asked: Am I Infected? How do we check? Reviewing these
questions should tell you if an infection has occurred and how
far it has proceeded. As well as what steps to take.
Have you actually Executed any of the infected attached
files?
No! I have deleted the emails without opening them:
1. You can not get infected by simply Receiving the infected
emails.
2. Properly Configured antivirus
programs that have email scanning abilities will catch this
infection easily so infection to your system can not occur.
3. Email clients that are Not Microsoft related (outlook etc) can
not automatically execute the infected attachment.
4. Microsoft email clients (outlook etc) If updated and preview
pane disabled can not automatically execute the infected
attachments.
In all cases above infection can not occur. Delete the suspect
emails and run a good updated, properly configured antivirus program over the entire
system including email files if applicable to verify there is no
infection.
Did you preview the email with an outdated/unpatched Microsoft
email client (outlook etc)?
Yes!
Then infection is most likely. Outdated or unpatched Microsoft
email clients are vulnerable to the very thing this email worm
depends on to spread. The preview pane in unprotected email
clients provides the infection the ability to run itself without
the user doing anything.
To update your Microsoft email client visit the Microsoft windows update.
Did you run/execute the infected attachment? (for non
Microsoft email clients or patched Microsoft email clients)?
No!
If you opened an infected email but did NOT actually run/execute
or save the infected attachment then infection has not begun.
Yes!
Opening/executing/running the attached files of the infected
email will start the infection. The worm will alter some files
and lie dormant until the next system reboot. If an antivirus
program is run over the system at this time it may catch the
infection making removal easy.
Have you executed the infected attachment And rebooted the
system?
No!
Running a properly configured
antivirus over the entire system including email files if
applicable should be able to remove the initial infected files
before complete infection can occur.
Yes!
Once the infection is in place and system reboot has occurred.
The infection is active now and will send itself out to random
emails via the system email client and/or windows SMTP. At this
time antivirus programs have been disabled by the worm and will
not operate or start up. This helps prevent the antivirus
program from detecting and possibly attempting to remove the
active worm as well as any future infections.
To verify the infection an Online virus scanner can be used as this worm can not affect them.
It is best to use an online scan that is different from your own antivirus program. Online Virus scanners can be found here. It is best to run online virus scans with all unnecessary programs closed to help prevent false positives.
The worm is set to reinfect the system if removal is attempted
improperly on each system reboot and on specific dates as set out
in the worm. Complete removal is necessary to stop this worm
from spreading.
For Complete removal information please see your specific
antivirus site and/or these sites below that offer removal
information and removal tools.
Be advised that a removal tool should be first used from your
antivirus program site Before using tools from another site. If
your antivirus site removal tool does not appear to work review
the text (readme) information from your own program site to
verify no steps have been overlooked and then try another site.