This email is all about how to get rid of it.
The bug is called
W32.Klez.gen@mm and has the following variants: W32/Klez.e@MM, WORM_KLEZ.E,
Klez.E, W32/Klez-E, Win32.Klez.E, I-Worm.Klez.E, W32.Klez.H@mm plus
others.
It is a mass-emailing worm that copies itself into network
shares. The worm uses random subject lines, message bodies and attachment
file names. It disables the Registry Editor, Internet Options and makes
changes to your system.ini and win.ini files as well as to a number of
others. It also disables some common antivirus products which is why your
antivirus programme cannot "see" it.
Some variants of this worm
use a technique known as "spoofing." If so, the worm randomly selects an address
that it finds on an
infected computer. It uses this address as the
"From" address that it uses when it performs its mass-mailing routine.
Numerous cases have been reported in which users of
uninfected computers
received complaints that they sent an infected message to someone
else.
For example, Linda Anderson is using a computer that is infected
with W32.Klez.E@mm; Linda is not using an antivirus program or does not have
current virus definitions. When W32.Klez.gen@mm performs its emailing
routine, it finds the email address of Harold Logan. It inserts Harold's
email address into the "From" portion of an infected message that it then sends
to Janet Bishop. Janet then contacts Harold and complains that he sent her
an infected message, but when Harold scans his computer, Norton AntiVirus does
not find anything--as would be expected--because his computer is not
infected.
If you are using a current version of Norton AntiVirus and you
have the most recent virus definitions and a full system scan with Norton
AntiVirus set to scan all files does not find anything, you can be confident
that your computer is not infected with this worm.
When the worm is
executed, the bug installs a file into your c:\windows\system folder which is
called winkga.exe or variations on this name such as winkdga.exe for
example. You can't delete it, move it, copy it or rename it either from
within windows or base dos and if you do think you've succeeded in doing so, it
returns.
The only way to get rid of this problem - other than formatting
your hard drive) is to run the following procedure:
Log on to the internet
and go to:
[log in to unmask]"
eudora="autourl">http:
[log in to unmask]Read
the information.
Symantec (Norton) has provided a tool to remove infections
of all known variants.
Click here to
obtain the tool. (The full URL is:
http://securityresponse.symantec.com/avcenter/venc/data/pf/w32.klez.removal.tool.html
)
Once this new page is on-screen, the URL to look for, halfway down the
page, is:
http://securityresponse.symantec.com/avcenter/FixKlez.com
This
is the easiest way to remove these threats and should be tried first. In
most cases, the tool will be able to remove the infection.
When the file
(removal tool) has been downloaded to your hard drive, disable your antivirus
programme, reboot the pc into safe mode, run the file -
FixKlez.com - and
reboot again into normal mode. Then re-activate your antivirus programme,
make sure you have the latest up-to-date virus definitions installed and run a
full (all-files) scan again.
Check the c:\windows\system folder and look for
winkga.exe or its variations. It should not be there anymore.
All
the above refers to Norton which is the antivirus programme I have, running with
Internet Explorer v5.5 on Windows 98 2nd edition.
If you use McAfee
antivirus, details can be found at:
http://vil.mcafee.com/dispVirus.asp?virus_k=99455but I
would imagine the procedure is similar.
In either case, please get in
touch with your IT Support section.