by

Pat Wong

The Klez family of worms is rapidly becoming an epidemic outbreak I just received two more infected emails today. Chances are I am not the only Lighter whose computer is infected. I have spent countless hours to finally eradicate it for good. I hope my experience will save you time if your computers are infected as well.

1.0 What Does This Worm Do

Briefly, these worms propagate through email attached files. It uses a random name in sender’s address book for the From: field. In my case, the infected email was probably sent from Walter Mok’s computer but used Kamsik’s name in the Form: field. I have since called Kamsik to verify that he didn’t send that email.

After I clicked on the attached file in my Eudora email utility, it became activated and ran in the background. I learned from the web that if you use Microsoft Outlook, you don’t even have to click on the attached file to activate it – just by opening the email will suffice, unless you have already installed a patch kit from Microsoft’s website. Anyway if you clicked on the attached file icon and the screen blinked but otherwise nothing apparently happened, you got it. You have just been hit by an arrow shot in the dark!

I had just bought a new computer then. My old one was zapped by an over heated power supply, which was covered by a blanket of dust. (Hence, every one should blow the dust off inside his computer once or twice a year.) All the peripheral devices were zapped, including my harddrive. I have since repaired the harddrive by replacing the circuit board underneath it with that of a similar drive I bought from eBay. That’s another story. I run Windows 98, the 2^nd Edition (Windows XP is different, see the Norton Website mentioned later) and did not have a chance to install any virus protection utility at the time. After the infection, it was too late to install any virus protection software. This Klez worm makes such installation unsuccessful. If your virus definition file is not up-to-date, this worm will sneak through and then destroy your virus protection installation on your computer. After that, you will notice that some of your applications will start to disappear. In my case, I lost the simple editor – the Note Pad, the register editor -- the RegEdit, the PC phone application – Net-to-Phone which I had never even run. My Internet Explorer also lost some of its capabilities – it no longer ran Yahoo’s Finance Vision. In a nutshell, the computer was sick, and it would get worse if I didn’t fix it fast.

For a more detailed discussion of this family of worms, go to Norton’s website:

http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.e@mm.html

For Lighters running Windows XP or Windows 2000, you should follow the advice from the above website instead and read no further.

2.0 How Do I Know If I am Infected

First of all, you know your computer is sick when some of the applications you used to run faultless don’t run, you start to lose some of them altogether, your computer tends to hang more frequently.

Now, do this to make sure: click the following Start -> Find -> File or Folders. In the Named: field, type in Wink*.* to search for any files with name starting with the letters Wink followed by some random characters with arbitrary file extensions. If any such beasts are found, your computer is HIV positive for sure! Read on; I will prescribe a regimen of pills for your computer. Before you leave this step, copy down these file names and their paths. You need to know where to find them and delete them later.

3.0 What Do I Do Now

First, don’t panic. There is life even after HIV infection. Klez is just a worm, not even a virus! You will need the free help from antivirus vendors like Norton’s Symantec.

Go to the following Norton’s website and download the W32.Klez.gen@mm removal tool which is free:

http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.removal.tool.html

This will give you an executable file FixKlezE.com. Don’t run it yet, the worm will damage it if you do.

Go to http://www.wmsoftware.com/free.htm and download the free chktrust.exe file. This is used to verify the authenticity of the tool downloaded earlier.

Copy these two files to a floppy disk and write protect the diskette by pushing the shutter up to open the window at the corner of the diskette. This will save you time from having to download the tool again should the worm damage it during the battle. It will win the war, but it may be damaged in a battle.

Next, verify the authenticity of the tool by doing the following: Open a DOS prompt window on your desktop. Go to the A floppy drive by typing A: at the command prompt. Then run the following command:

Chktrust -i FixKlezE.com

If the tool is valid, the flash up dialog window will say: Do you want to install and run "W32.Klez.E@mm Fix Tool" signed on 4/17/2002 6:10 pm and distributed by Symantec Corporation. Click "Yes" and close the dialog window. It probably is OK, at least that is so from my experience. Do an Exit command to close the DOS prompt window.

You cannot delete those worm files you found in Section 2 while Windows OS is running. It will say, "there is a share violation, access denied." which means that the worm is running in the background, you can not delete an active process. You must first click the Start -> Shut Down and select "Restart in MS-DOS mode" to restart your computer in DOS mode.

Now at the DOS prompt, use CD command to go to the directories where each of the worm files reside. The tough one to delete is the Winkxxx.exe file, which is the heart of the worm. Here, xxx is a random sequence of characters; you know what yours are from your note in Section 2. This file is hidden and you will not see it with a simple DIR command. Here, an older generation DOS person will be quite at home. Do the following commands at the DOS prompt:

DIR /A WINKxxx.EXE

This will display the file and its size.

ATTRIB WINKxxx.EXE

This will display the attributes of the file as A SHR for archive flag on,

System file, Hidden file, and Read only file.

ATTRIB –S –H –R WINKxxx.EXE

This changes its attributes to Not a System file,

Not a Hidden file, Not a Read only file.

DEL WINKxxx.EXE

Now you can delete this time sucking worm.

Delete all the files written in your note. The other WINKxxx files may be easier to delete. After deleting all these files, you are ready to reboot back to your Windows OS.

3.3 Run the Worm Removal Tool

Click Start -> Run and type in A:FIXKLEZE.COM to run the worm removal tool from your floppy. Basically, what it does is delete the register entries for the worm. In my case, I lost my RegEdit editor and cannot edit my register manually. If the tool is running smoothly without being attacked by the worm, you will see the file names flashing by the bottom of its window as it is being checked. If it freezes, the worm files are probably not deleted properly. Repeat 3.2 again or perhaps do a DIR /S /A WINK*.* command at the root directory which should be C:\ to again locate all the active worm files. Try to delete them again.

After the successful run of the tool, it should tell you what it has found and what it did to correct the situation. It will try to repair infected files and put the results in a log file, which can be read by NotePad if you still have it. But since we write protected the diskette, it will not be able to give you such a log file. That is a little price to pay for write protecting the diskette.

Reboot your computer to use the altered windows’ register. I think the Tool will do this automatically. Anyway, some older computer may need manual rebooting.

You are still not home free yet. But at least your computer is on the mend. You will still need to reinstall your anti-virus software to repair other damaged files that the tool failed to identify, and delete those which cannot be repaired. At least, you can reinstall the anti-virus software now. So, that is what you will do in the next step.

3.4 Reinstall and Run Your Anti-Virus Software

You can either reinstall your existing anti-virus software from your installation CD or you can buy and install the current year’s version of the software. In my case, I had returned the 2002 version to the store I brought it from because I couldn’t install it then, not knowing that the worm was already rampant in my computer. Since I still have my 2001 Norton’s Anti-virus Utility CD, I installed it after a successful run of the worm removal tool. When the "when did you purchase it" window came up during the installation, I just selected the oldest date shown. The installation went OK. If you already have the anti-virus installed prior to the worm attack, it is a good idea to uninstall it first. If the uninstall utility still works, by all means use it. If not, you may have to manually delete them by clicking Start -> Setting -> Control Panel. Double click the "Add/Remove Programs" icon. Under the "Install/Uninstall" tab, scroll down the window to select "Norton Antivirus 2001" and click on the "Add/Remove" button to have it removed. Next, use the Windows Explorer to delete all files in the Norton directory where the antivirus software resided. You can keep the empty directory there for reinstallation.

After successfully installing the antivirus software, you must connect to your ISP to update your virus definition file by selecting "Virus Definitions" in the application window. The latest virus definition that knows this Klez family of worms is dated 4/24/02. You may have to reboot after installation and definition update. I don’t remember exactly. Anyway it will tell you to reboot or automatically reboot the computer for you.

Congratulations, you are almost done. Run the Norton Antivirus and select "Scan for Virus" and on the right hand-side window, select "Scan my Computer". It should run without hanging if the worm is killed. At the conclusion of the run, the log file will tell you how many files were infected, repaired, and how many of them were found not repairable and quarantined. You see, the free tool you downloaded in Section 3.1 was not powerful enough to thoroughly clean up the worm in your system; it only made your computer well enough to reinstall their antivirus product -- a good business strategy, no doubt. I deleted all the quarantined files since I don’t know what to do with them otherwise. Before you do so, note the names of these files. For example my "Net2Phone" executable was not repairable. Such note will serve as a reminder to download and reinstall it later. Until then, I delete the icon on my desktop since it has no executable to point to anymore.

In my case, my Note Pad, Sound driver, RegEdit were removed by the worm. I tried to reinstall Windows before the worm was under control, and couldn’t restore these files. Now that the worm is truly eradicated, reinstalling Windows will bring back those files originally provided by the Windows OS. I had to reinstall my sound driver separately from my motherboard’s installation CD since the sound card is imbedded in the Intel motherboard.

To reinstall Windows OS, do not boot from the floppy disk that came with the CD when you purchased the Windows OS. If you do, all the settings will be back to default and that is not what you want. Your data files may be lost too, but I am not sure about this. You must run the installation CD after a normal boot. This way, all your settings and data are preserved, only the system files are restored, damaged or not.

Part of the components of the Internet Explorer web browser may be damaged. To check this, click Start -> Setting -> Control Panel. Double click the "Add/Remove Programs" icon. Under the "Install/Uninstall" tab, scroll down the window to select "Microsoft Internet Explorer 6 and Internet Tools" and click on the "Add/Remove" button. Here something very interesting will happen. Instead of asking whether you want to install or remove Internet Explorer, it gives you two different choices: Add a component, or Repair Internet Explorer? You see, Bill Gates says the Internet Explorer is an integral part of Windows OS and cannot be removed, otherwise Netscape may become dominant! Anyway, select "Repair Internet Explorer". It will tell you if any of the components are damaged beyond repair. Delete these components and download them again if you still want them. Some Java things may be damaged, just delete them. After the repair, I can run Yahoo Finance Vision again without hanging. However, the sound quality is still very poor. To improve the sound quality, click open the "Multi media" icon in the Control Panel, select the "Audio" tab. In the "Playback" window, scroll down to select the imbedded sound card and click its "Advance Properties" button. Under its "Performance" tab, slide the "Sound rate conversion quality" scale to the right for "Best" to use the highest possible sampling rate. My CPU is fast enough to trade speed for quality. If one uses a sampling rate that is too low, one can hear the aliasing pitches as periodic popping noises. After these corrective actions, the sound quality improved drastically. Finally, Yahoo Finance Vision is running faultlessly once again!

Yahoo Finance Vision is a very demanding program. If your Internet Explorer can run it faultlessly, your Explorer installation is healthy.

4.0 Epilogue

 

Rumors are that this worm may have originated in China. In light of the attacks originated form China during the Orion reconnaissance aircraft incident in the early phase of the Bush administration, this family of worms may have prompted the Home Land Security Office to identify China as a possible internet terrorist source aimed towards he nation’s computer networks. Such worms are very time consuming to fight and thus negatively affect the nation’s productivity. Maybe in this sense, it is qualified as an economic terrorist act. It may not kill thousands of people, but it affects millions of computer users. Here is one citizen’s effort to minimize its effectiveness.

Even though the worm is now eradicated on my computer, it will never be the same. Now the Internet connection window collapse-down takes longer even though the connection is actually completed way before that. The computer shut down process takes longer. Sometimes it hangs on the "Windows is Shutting Down" screen long after the power can be safely turned off. Well, that is good enough for now. At least it is stabilized and is not getting worse.

Nowadays the worms are so prevalent. It is important to download the latest patch kits to mend the holes in the email utilities; install antivirus utilities and update the virus definitions frequently to keep up with the latest version of the worm and virus; select the "screen incoming email" option for installation. We just have to keep our sense of invincibility in check.