Help & HowTo: Klez.H

The latest Klez worm is continuing to spread fast across the Internet and attempts to disable antivirus software when activated

Another member of the Klez worm family is spreading fast across the Internet. Klez.H (w32.klez.h@mm, also known as Klez.g and Klez.k) is a significant variation of existing worms Klez.e and Klez.a. Klez.H has evolved dramatically enough to be able to slip past recent antivirus signature files on some PCs. A few users will need to update their antivirus signature files to specifically include Klez.H. Because of its rapid spread, Klez.H rates a 6/10 on the ZDNet Virus Meter. How it works
Klez.H arrives as email with a subject line that contains one of approximately 120 phrases, such as: Re: A WinXP patch
Undeliverable mail--"(random)"
Returned mail--"(random)"
(random)(random) game
(random) (random) tool
(random) (random) website
(random) (random) patch
(random) removal tools
how are you
let's be friends
darling Some of the random words above are specific antivirus software vendor names or virus-specific names. The body text of the infected email also has many variations and may include one of the following: This is a special humour game This is my first work. Your're the first player. I would expect you would enjoy it (virus name) is a dangerous virus that spread through email. (Antivirus vendor) give you the (virus name) removal tools. For more information, please visit http://www.(antivirus vendor).com Once active on a PC, Klez.H bypasses installed email software by using its own SMTP server to send infected copies of itself. To locate addresses, the worm searches files on the hard drive, looking for various file extensions that may contain email addresses. On networked drives, Klez.H will simply copy itself to remote disk drives by creating a random filename, then adding an .exe, .pif, .com, .bat, or .scr extension. Like several other recent worms, Klez.H attempts to disable antivirus software installed on the infected computer. For more details regarding the original Klez worm, see this alert; for details on the previous variation Klez.E, see this alert. Klez.H contains an upgraded version of the Elkern virus. Elkern.c (w32.elkern.c) runs under Windows 98, Me, 2000, and XP. Elkern.c adds a hidden file, wqk.exe, to Registry entry HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WQK, which is in Windows 98 and Me. Under Windows 2000 and XP, it adds wqk.dll to Registry key HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Windows\AppInit_DLLs. These files are added so that Elkern.c runs any time Windows is run. Elkern.c can corrupt files without changing their size. Prevention
Klez.H uses a well-known vulnerability in Outlook Express that is included in versions of Internet Explorer 5.01 and 5.5. Microsoft has previously released a patch for this. Users who have not loaded the patch are encouraged to do so or to upgrade to Internet Explorer 6 using the full installation setting. Removal
All antivirus software companies have updated their signature files to include Klez.H. This will stop the infection upon contact and in some cases additional tools are available to help you remove an active infection from your system. For more information, see Central Command, Computer Associates, F-Secure, Kaspersky, McAfee, Norman, Panda, Sophos, Symantec and Trend Micro.