*************************************************************************** FIX_KLEZ (version 3.02) Trend Micro, Inc. http://www.antivirus.com *************************************************************************** I. File List o FIX_KLEZ.COM - fix tool for WORM_KLEZ (.A, .B, .C, .E, .I variants) & PE_ELKERN (.A and .B variants) o README_KLEZ.TXT - this readme file II. How to Use ** IMPORTANT NOTE : This tool only removes WORM_KLEZ (.A, .B, .C, .E, .I variants) & PE_ELKERN (.A and .B variants) infected processes/services, registry entries, and currently running dropped files, thus the only way to fully clean the system is to run this tool, reboot the system, run our tool again, and use our product to detect and delete files detected as WORM_KLEZ (.A, .B, .C, .E, .I variants) and clean files detected as PE_ELKERN (.A and .B variants). There is a possibilty that this virus will infect system files used by Windows or any other applications, thus deleting these files might cause Windows or other applications to malfunction. For Windows 95/98/ME: 1. Before using this tool users, specifically those with Internet Explorer (IE) versions 5.01 and 5.5 installed, are advised to install the patches provided by Microsoft. Links and descriptions to these patches are avaialable at the end of this document. Scan and Clean PE_ELKERN (.A and .B variants) infected files: 2. Create Emergency Rescue Disk (ERD). For the details on how to create an ERD, please refer to this site: http://www.antivirus.com/pc-cillin/support/edisks.htm Note: To create an ERD you will need another virus free computer and 4-5 floppy disks. 3. Turn off the computer you suspect is infected with a virus. Do not reset or reboot because some viruses may remain intact in the computer's memory. 4. Insert disk 1 into your A: drive and turn on the computer. 5. Follow the on screen prompts. 6. Type this command: A:\Pcscan /v /c /A /NOBKUP. Then follow the instructions. Note: This will scan and clean all infected files, 7. Reboot your system to Windows. Clean the system from WORM_KLEZ (.A, .B, .C, .E, .I variants): 8. Turn off all applications running in your system, including any antivirus software that may be installed, to avoid conflicts that may occur while the tool is scanning the system. 9. Disconnect the system from the network to avoid reinfection while the tool is cleaning the system. It is also recommended to run "Net Use" before running the tool in your network, and then take note of the shared folders, as this tool has an option to remove these netshares. 10. Place FIX_KLEZ.COM in a temporary directory or folder. 11. Open a Command Prompt (MS-DOS Prompt) and proceed to the directory where the tool was copied. Type FIX_KLEZ.COM Note: There are times that the tool need to re-execute after reboot. Please take note of the messages after running the fix tool. 12. Enable all antivirus software that is installed and perform a manual scan. 13. Please restore critical folders that are not used to share files outside of the computer. For Windows NT/2K: 1. Before using this tool users, specifically those with Internet Explorer (IE) versions 5.01 and 5.5 installed, are advised to install the patches provided by Microsoft. Links and descriptions to these patches are avaialable at the end of this document. Scan and Clean PE_ELKERN (.A and .B variants) infected files: Option 1: 2. Under NTFS file system, creating ERD will not work. You should slave your hard disk from a 100% clean system. 3. Scan and clean the whole system infected hard disk using the latest pattern file. 4. Boot from the infected hard disk. Option 2: 1. You need an installer of Windows 2000 2. Boot from cd 3. Select repair, then console. This will allow you to boot from CD and modify system file WQK.DLL. 4. Remove hidden and read only attribute through this command attrib -h -r WQK.DLL 5. Create folder WQK.DLL 6. Reboot the machine. Clean the system from WORM_KLEZ (.A, .B, .C, .E, .I variants): 8. Turn off all applications running in your system, including any antivirus software that may be installed, to avoid conflicts that may occur while the tool is scanning the system. 9. Disconnect the system from the network to avoid reinfection while the tool is cleaning the system. It is also recommended to run "Net Use" before running the tool in your network, and then take note of the shared folders, as this tool has an option to remove these netshares. 10. Place FIX_KLEZ.COM in a temporary directory or folder. 11. Open a Command Prompt (MS-DOS Prompt) and proceed to the directory where the tool was copied. Type FIX_KLEZ.COM Note: There are times that the tool need to re-execute after reboot. Please take note of the messages after running the fix tool. 12. Enable all antivirus software that is installed and perform a manual scan. 13. Please restore critical folders that are not used to share files outside of the computer. III. Description This tool is designed to clean a system that was infected by WORM_KLEZ (.A, .B, .C, .E, .I variants) & PE_ELKERN (.A and .B variants). The tool supports the following features: o Scan and remove WORM_KLEZ (A,C,E,I variants) & PE_ELKERN (A and B variants) from memory. o Remove worm's registry entries. a. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\run\krn132 b. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\run\wqk c. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\run\WinSvc d. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\run\Wink* (where * is any randomly selected characters) Under Windows NT/2000 a. HKLM\SYSTEM\CurrentControlSet\Services\KernelSvc\ b. HKLM\SYSTEM\CurrentControlSet\Services\Krn132\ c. HKLM\SYSTEM\CurrentControlSet\Services\Wink* (where * is any randomly selected characters) Under Windows 2000 c. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs o Remove drop files. a. %systemdir%\krn132.exe b. %systemdir%\winsvc.exe c. %systemdir%\wink*.exe (where * is any randomly selected characters) under windows 95/98/ME b. %systemdir%\wqk.exe under Windows 2000 c. %systemdir%\wqk.dll IV. Parameters This tool has no parameter. Simply execute the tool by double-clicking it or by typing FIX_KLEZ.COM and press the return key. It will automatically perform the features mentioned in the Description section. V. Syntax Run FIX_KLEZ.COM without any parameter(s) or double click it from EXPLORER o Scan and remove WORM_KLEZ (.A, .B, .C, .E, .I variants) & PE_ELKERN (.A and .B variants) from memory. o Remove worm's registry entries. o Remove drop files. o Stop and remove virus/worm services VI. Requirements This tool is designed to run under Windows NT/2000 and Windows 9X/ME. For this tool to execute properly under Windows NT/2000 it needs the following DLL file: o PSAPI.DLL Make sure that this file is present in the "Winnt\system32" directory. VII. Notes 1. The tool will flag a file as WORM_KLEZ (.A, .B, .C, .E, .I variants) when the file itself is an exact copy of the worm in its original form. It will delete the said file to remove it from the system. 3. FIX_KLEZ.COM is a Windows Executable file renamed to COM to prevent it from being infected by common Win32 viruses. VIII. Known Issues 1. For WinME systems, deleted files are still in the System Restore folder due to WinME's Restore feature. When an infected file is deleted, the Restore folder of WinME will back up the file for future restoration. The user must manually delete this file in the Restore folder. Please visit the following Web site for a description and more detailed information on how to remove the contents of the _Restore folder: http://support.microsoft.com/support/kb/articles/Q263/4/55.ASP?LN=EN-US&SD=SO&FR=0 2. After rebooting, NT machines will restore the shares of ALL DEFAULT DRIVES. 3. For PE_ELKERN (.A and .B variants) infected files that currently are being used by another program, cleaning is not possible. Thus, a reboot and scanning using our product is needed to clean these files. 4. Under Windows NT/2000, the worm registers itself as a service.When it registers itself as a service, the following registry keys are automatically created and therefore needs to be deleted to prevent the worm from re-activating again: a. HKLM\SYSTEM\CurrentControlSet\Services\KernelSvc b. HKLM\SYSTEM\CurrentControlSet\Services\Krn132 c. HKLM\SYSTEM\CurrentControlSet\Services\Wink* (where * is any randomly selected characters) 5. As previously mentioned, this tool cannot clean files infected with PE_ELKERN (.A and .B variants). After running this tool, it is necessary to reboot the computer, then run our product to detect and clean files infected with PE_ELKERN (.A and .B variants). Other files detected as WORM_KLEZ (.A, .B, .C, .E, .I variants) can also be deleted. 6. There are instances that both the worm and the virus would drop files with random filenames and subsequently execute these files. While these files are currently running in memory, it will be able to detect any changes made to the registry entries that it created. When it detects these, it will be able to restore it again. Since this tool is not capable of detecting the PE_ELKERN (.A and .B variants) processes/services in memory, it is necessary to execute the tool once again after restarting the computer to remove the virus' registry entries. Afterwards, run our product to scan and clean files infected with PE_ELKERN (.A and .B variants) Other detected copies of WORM_KLEZ (.A, .B, .C, .E, .I variants) could also be deleted. 7. Since its virus component has a capability to infect files that windows loads during startup. Beacuse of this it is necessary that you used Emergency repair this to scan and clean infected files. 8. Like PE_FUNLOVE.4099, the virus component PE_ELKERN (.A and .B variants) has the capability to infect all windows execuatable including applications that windows are loaded during system startup. So it is necessary to you strickly follow the cleaning procedures depending on your windows platform. 9. Under Windows 2000, the virus component drop and access the file WQK.DLL in the windows system directory. Because of this, this file will keep on reappearing if you execute the fix tool without cleaning the infected files of PE_ELKERN (.A and .B variants). Similarly, this registry entry will be persistent to your system. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows AppInit_DLLs = "Wqk.dll" Note: The current verion of this tool does not support scanning and cleaning of the infected file. IX. Microsoft Fixes/Upgrades: 1. For those who use Internet Explorer (IE) versions 5.01 and 5.5 please use the fix for IE MIME Header Attachment Execution Vulnerability found at: X. History: version 1.00 - first release version 1.10 - Fix bug on windows 2000 processes Add log file Add Inoculation of the system version 1.20 - Fix bugs Add windows pltform information in the log file version 2.00 - Include support to WORM_KLEZ.E and PE_ELKERN.B version 3.00 - Include support to WORM_KLEZ.I and PE_ELKERN.B version 3.01 - Rename TROJ_KLEZ to WORM_KLEZ; fix_bugs in killing klez_e service; add log for klez_e version 3.02 - Modify log file format XI. Others This tool has been tested under the following platforms: Windows 9x Windows ME Windows NT 4.0 Workstation and Server Windows 2000 Professional and Server XII. For more information regarding these viruses, please visit our Web site at: