*************************************************************************** WORM_KLEZ and PE_ELKERN Clean Package For Win NT/2000/XP/9X/ME Trend Micro, Inc. http://www.antivirus.com *************************************************************************** *************************************************************************** I. File List *************************************************************************** o VSCANLNT.BIN - Command line version of virus scan o FIX_KLEZ.EXE - Fix tool for WORM_KLEZ and PE_ELKERN (version 4.04) o BPMNT.DLL - Component DLLs for VSCANLNT.EXE o VSAPI32.DLL - Component DLLs for VSCANLNT.EXE o README.TXT - This file *************************************************************************** II. How to Use *************************************************************************** ** IMPORTANT NOTE : For Windows NT/XP/2000 users, you need to be logged in as an Administrator or use an account with administrative rights to successfully clean the system. 1. Disconnect the system from the network to avoid reinfection while the tool is cleaning the system. 2. Turn off all applications running in your system, including any antivirus software that may be installed, to avoid conflicts that may occur while the tool is scanning the system. 3. Copy the contents of this package in a temporary directory or folder. 4. Download Trend Micro's latest virus definition files from the following site: http://www.antivirus.com/download/pattern.asp You should have downloaded an LPT???.ZIP file, where ??? is the pattern version number. Extract the contents of this archive into the temporary directory or folder where the fix package was also placed. 5. Open an Explorer Window and go to the folder where you have copied the fix package. Run the fix tool named FIX_KLEZ.EXE either by (a) double clicking the file icon of FIX_KLEZ.EXE, or (b) right clicking the file FIX_KLEZ.EXE and clicking on Open. Or you can click the Start button and select Run then specify the filename and path of FIX_KLEZ.EXE by clicking the Browse button. *Note: Please do not run the FIX_KLEZ.EXE using the MS-DOS Prompt (Command.com or CMD.EXE) because these files might be infected. 6. Restart/reboot your PC. 7. Reinstall your antivirus products. Enable all antivirus software that is installed and perform a manual scan to remove other viruses that may be present in the system. 8. Check all log files produced by this package: * Fix_Klez.log - contains results of memory, registry, and dropped files scanning, and also restoration of compressed files. * Vsdetect.rpt - contains file scanning results of Vscan Lite version * vsclean.rpt - contains cleaning results of Vscan Lite version *************************************************************************** III. Others *************************************************************************** 1. For those who use Internet Explorer (IE) versions 5.01 and 5.5 please use the fix for IE MIME Header Attachment Execution Vulnerability found at: 2. Additional Cleaning Instructions for Windows ME and Windows XP users For WinME or XP systems, deleted files are still in the System Restore folder due to these operating systems' Restore features. When an infected file is deleted, the Restore feature will back up the file for future restoration. The user must manually delete this file in the Restore folder. To do this: For Windows ME a. Right click the My Computer icon on the Desktop and select Properties. b. Select the Performance Tab, click the File System button. c. Select the Troubleshooting tab, then put a check mark next to 'Disable System Restore.' d. Click Apply > Close > Close. When prompted to restart the computer, click Yes. The System Restore utility is then disabled. e. Restart your computer in Safe Mode and continue with the scan/clean process. Files under the _Restore folder can now be deleted. f. To re-enable System Restore, simply follow steps A to D but this time, removing the check mark next to 'Disable System Restore.' g. Restart your system normally. For Windows XP a. Select the Start button, right click the My Computer icon and select Properties. b. Select the System Restore tab, and put a check mark next to 'Turn off System Restore on all drives.' c. Click Apply > Yes > OK. The System Restore Utility is then disabled. d. Continue with the scan/clean process. Files under the _Restore folder can now be deleted. e. To re-enable System Restore, simply follow steps A to C, but this time, removing the check mark next to 'Turn off System Restore on all drives.' 3. This tool has been tested under the following platforms: Windows 9x Windows ME Windows XP Windows NT 4.0 Workstation and Server Windows 2000 Professional and Server *************************************************************************** IV. Additional Information on FIX_KLEZ.EXE *************************************************************************** A. Description This tool supports cleaning of WORM_KLEZ (variants A, B, C, D, E, F, G, H, and I) and PE_ELKERN (variants A, B, and D). Detailed Features: o Scans and removes WORM_KLEZ and PE_ELKERN from memory. o Removes the worm's registry entries. a. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\run\krn132 b. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\run\wqk c. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\run\WinSvc d. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\run\Wink* (where * is any randomly selected characters) Under Windows NT/2000: a. HKLM\SYSTEM\CurrentControlSet\Services\KernelSvc b. HKLM\SYSTEM\CurrentControlSet\Services\Krn132 c. HKLM\SYSTEM\CurrentControlSet\Services\Wink* (where * is any randomly selected characters) Under Windows 2000: a. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ Windows\AppInit_DLLs o Removes dropped files. a. %System%\krn132.exe b. %System%\winsvc.exe c. %System%\wink*.exe (where * is any randomly selected characters) Under windows 95/98/ME: a. %System%\wqk.exe Under Windows 2000: a. %System%\wqk.dll o Innoculates the system to prevent future infection. a. Creates a hidden folder named "%System%\krn132.exe." b. Creates a hidden folder named "%System%\wqk.exe." c. Creates a hidden folder named "%System%\wqk.dll." d. Creates a hidden folder named "%System%\WinSvc.exe." B. Parameters The folder where the tool will begin scanning. If unspecified, the tool will scan all local hard drives. /Q Quiet mode: suppresses prompting copies of the worm /M Memory scanning only /? Displays help information