HiWAAY: Information/Internet Services
An FAQ is a Frequently Asked Question. We have listed here the question paired with
the appropriate answer. If you don't find the answer to your question, please visit
our customer support page or email support@HiWAAY.net.
XYZ - The Retired FAQ Archive
Busy Signal Report Form: Report a busy signal.
There are currently 249 FAQs in the database.
Old FAQs - We've kept these older FAQs in the archive just in case someone needs the information. These archived FAQs are no longer maintained and will certainly be out-of-date and contain errors.
Question: How do I protect my computer from the Klez (W32.Klez.H@mm and W32.Klez.E@mm) Worms?
or the Klez worms have spread far and wide across the Internet. HiWAAY Support receives about 100 - 200 emails infected with these worms every day. Both Klez worms work about the same so I'll use the common name Klez for the rest of this warning unless there is a feature that is particular to one version alone.
Klez arrives as an email. The subject, reply-to address and message are randomly generated so there's no easy to recognize pattern. About the only common pattern that I have been able to detect is that most infected email include 4 attachments. However, this is not true all the time and shouldn't be used as the only criteria to determine if an email is infected with Klez.
The worm itself is attached as an executable file and can also be infecting any of the other attached files. Double clicking on the attachments will launch the worm and infect the computer.
Sends Copies of Itself by Email:
Once the Klez worm has infected a system it will spread itself via email to all the email addresses it can cull from email, web pages and the Outlook address book and almost any other file it can find on the computer. Klez is the most aggressive worm yet for finding email addresses. It will send multiple copies of itself to every email address it finds. It will also put one of these found email addresses in the From field of the email message. This alone has caused lots of confusion, bad feelings and further spread of the Klez worm as people reply to the infected emails (some examples I've seen have been quite angry) complaining about being sent a virus. The true sender of the worm is buried in the email headers. If you are not sure how to read the full headers of an email (or if you don't know what "full headers" are), then please don't
reply to the virus infected email.
Installs a Password Sniffing Trojan Horse:
The W32.Klez.H@mm worm will also install a password sniffer call ELKern that can not only capture passwords, but can infect all files on the victim computer as well as all files can be accessed across a network. (Note: This is another good reason to not use file sharing unless you need to.)
Attempts to Disable Anti-virus Software:
Last, but not least, when Klez infects a computer it disables some of the files associated with popular anti-virus applications. Anti-virus software on infected systems can not be trusted to detect and remove Klez. This is not a good thing and if your computer is infected with Klez you should plan on reinstalling any anti-virus software you normally use.
More detailed information can be found at:
Protection of Windows based systems is easy.
- Make certain your anti-virus software is up to date.
- Run a personal firewall like ZoneAlarm
- Of course, it always bears repeating, don't open attachments!
The Klez worm is particularly difficult to remove. Symantec has released a Klez worm removal tool that can remove both the Klez.E and Klez.H worms as well as other variations of Klez. It can be downloaded for free from: http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.removal.tool.html
If you are infected with Klez, you need to immediately download the cleaning tool and the disconnect your computer from the Internet until you have cleaned off the Klez infection. Run the tool following the instructions from Symantec. After you have run the tool and it has removed the worm, restart your computer and reinstall
your antivirus software. You should then update your antivirus software and have it scan all the files on your computer.
Anti-Virus Software Update Sites:
We've included links below to some of the more popular anti-virus program and program update sites. (Note that Norton and eTrust both have built-in update tools.)
New definitions are released constantly. Please check with your anti-virus vendor for the latest files.
HiWAAY does not warrant that any of the tools and patches listed above will protect or repair a system, nor can we offer support on complex task of manually removing the Klez worm and verifying system integrity.
HiWAAY Internet Services - (888) 244-9229 - 721 Clinton Ave., Suite #8, Huntsville, AL 35801
© HiWAAY Internet Services. All Rights Reserved.