W32.Klez.E@mm它是还试图将自身复制到网络共享的群发电子邮件蠕虫病毒。该蠕虫使用随机主题行、 邮件正文和附件的文件名称。蠕虫利用中 Microsoft Outlook、 Outlook Express 的漏洞，在试图执行本身，当您打开或甚至预览包含它的消息。

英文介绍

中文介绍

威胁评估(广度 损坏 分发)

建议

英文介绍

Due to an increased rate of submissions, Symantec Security Response is upgrading the threat level for W32.Klez.E@mm from level 2 to level 3 as of March 6, 2002.

W32.Klez.E@mm is similar to W32.Klez.A@mm. It is a mass-mailing email worm that also attempts to copy itself to network shares. The worm uses random subject lines, message bodies, and attachment file names.

The worm exploits a vulnerability in Microsoft Outlook and Outlook Express in an attempt to execute itself when you open or even preview the message in which it is contained. Information and a patch for the vulnerability are available at http://wwwtechnet/security/bulletin/MS01-020.asp.

The worm overwrites files and creates hidden copies of the originals. In addition, the worm drops the virus W32.Elkern.3587, which is similar to W32.ElKern.3326.

The worm attempts to disable some common antivirus products and has a payload which fills files with all zeroes.

Removal tool

Symantec has provided a tool to remove infections of all known variants of W32.Klez and W32.ElKern. Click here to obtain the tool.

This is the easiest way to remove these threats and should be tried first.

Note on W32.Klez.gen@mm detections:

W32.Klez.gen@mm is a generic detection that detects variants of W32.Klez. Computers that are infected with W32.Klez.gen@mm have most likely been exposed to either W32.Klez.E@mm or W32.Klez.H@mm. If your computer is detected as infected with W32.Klez.gen@mm, download and run the tool. In most cases, the tool will be able to remove the infection.

It has been reported that W32.Klez.E@mm may arrive in the following email message promoting a Symantec removal tool. Symantec never sends unsolicited email; the attachment should be deleted.

Subject: W32.Elkern removal tools

Message:

Symantec give you the W32.Elkern removal tools. W32.Elkern is a dangerous virus that can infect on Win98/Me/2000/XP.

For more information,please visit http:/ /www.

Attachment: Install.exe

For information about how Klez affects a Macintosh computer, read the document Are Macintoshes affected by the Klez virus?

中文介绍

应付的意见书的增加率，赛门铁克安全响应从第 2 级到 2002 年 3 月 6 第 3 层 W32.Klez.E@mm 的升级威胁程度。W32.Klez.E@mm 是类似于 W32.Klez.A@mm。它是还试图将自身复制到网络共享的群发电子邮件蠕虫病毒。该蠕虫使用随机主题行、 邮件正文和附件的文件名称。蠕虫利用中 Microsoft Outlook、 Outlook Express 的漏洞，在试图执行本身，当您打开或甚至预览包含它的消息。在 http://www./technet/security/bulletin/MS01-020.asp 提供信息和该漏洞的补丁程序。蠕虫会覆盖文件，并创建原始的隐藏的副本。在另外蠕虫删除病毒 W32.Elkern.3587，这是类似于 W32.ElKern.3326。蠕虫尝试禁用某些共同的防病毒产品，有的用均为零填充文件的有效负载。删除工具赛门铁克提供了删除已知的所有变体 W32.Klez 和 W32.ElKern 感染的工具。如何获取此工具，请单击此处。这是最简单的方法来消除这些威胁，并应在第一次尝试。关于 W32.Klez.gen@mm 检测说明： W32.Klez.gen@mm 是一个通用检测，检测到 W32.Klez 的变体。W32.Klez.gen@mm 感染的计算机很可能曾暴露于 W32.Klez.E@mm 或 W32.Klez.H@mm。如果检测到您的计算机则为感染 W32.Klez.gen@mm，下载并运行该工具。在大多数情况下该工具将能够删除感染。据报 W32.Klez.E@mm 可抵达促进赛门铁克删除工具下面的电子邮件消息。赛门铁克永远不会发送未经请求的电子邮件 ； 应删除附件。主题： W32.Elkern 去除工具消息： 赛门铁克给你 W32.Elkern 删除工具。W32.Elkern 是一个危险的病毒，可感染 Win98/Me/2000年/XP 上。有关详细信息，请访问 http:/ /www.附件： Install.exe 的有关 Klez 如何影响 Macintosh 的计算机的信息读取文档是 Macintoshes Klez 病毒而受影响？

防护　* 病毒定义（每周 LiveUpdate™） 2002 年 1 月 23 日

* 病毒定义（智能更新程序） 2002 年 1 月 17 日

威胁评估

广度

* 广度级别： Medium

* 感染数量： More than 1000

* 站点数量： More than 10

* 地理位置分布： Medium

* 威胁抑制： Moderate

* 清除： Moderate

损坏

* 损坏级别： Medium

* 有效负载触发器： The 6th of every odd numbered month (January, March, May, July, September, November)

* 有效负载： Disables common antivirus products

* 大规模发送电子邮件： Mails email adddresses found in local files, and Outlook and ICQ address books

* 修改文件： Overwrites files with zeros

分发

* 分发级别： High

* 电子邮件的主题： Random subject

* 附件名称： Randomly named file with .bat, .exe, .pif or .scr extension

When the worm is executed, it copies itself to %System%\\Wink[random characters].exe.

NOTE: %System% is a variable. The worm locates the Windows System folder (by default this is C:\\Windows\\System or C:\\Winnt\\System32) and copies itself to that location.

It adds the value

Wink[random characters] %System%\\Wink[random characters].exe

to the registry key

HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run

or it creates the registry key

HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Wink[random characters]

and inserts a value in that subkey so that the worm is executed when you start Windows.

The worm attempts to disable on-access virus scanners and some previously distributed worms (such as W32.Nimda and CodeRed) by stopping any active processes. The worm removes the startup registry keys used by antivirus products and deletes checksum database files including:

ANTI-VIR.DAT

CHKLIST.DAT

CHKLIST.CPS

CHKLIST.TAV

IVB.NTZ

SMARTCHK.CPS

AVGQT.DAT

AGUARD.DAT

The worm copies itself to local, mapped, and network drives as:

* A random file name with a double extension. For example, filename.txt.exe.

* A .rar archive with a double extension. For example, filename.txt.rar.

In addition, the worm searches the Windows address book, the ICQ database, and local files (such as .html and text files) for email addresses. The worm sends an email message to these addresses with itself as an attachment. The worm contains its own SMTP engine and attempts to guess at available SMTP servers.

The subject line, message bodies, and attachment file names are random. The from address is randomly chosen from email addresses that the worm finds on the infected computer.

NOTES:

* Because this worm does use a randomly chosen address that it finds on an infected computer as the "From:" address, numerous cases have been reported in which users of uninfected computers receive complaints that they have sent an infected message to someone else.

For example, Linda Anderson is using a computer that is infected with W32.Klez.E@mm; Linda is not using a antivirus program or does not have current virus definitions. When W32.Klez.E@mm performs its emailing routine, it finds the email address of Harold Logan. It inserts Harold's email address into the "From:" line of an infected email that it then sends to Janet Bishop. Janet then contacts Harold and complains that he sent her infected email, but when Harold scans his computer, Norton AntiVirus does not find anything--as would be expected--because his computer is not infected.

If you are using a current version of Norton AntiVirus, have the most recent virus definitions, and a full system scan with Norton AntiVirus set to scan all files does not find anything, you can be confident that your computer is not infected with this worm.

* There have been several reports that, in some cases, if you receive a message that the virus has sent using its own SMTP engine, the message appears to be a "postmaster bounce message" from your own domain. For example, if your email address is , you could receive a message that appears to be from , indicating that you attempted to send email and the attempt failed. If this is the false message that is sent by the virus, the attachment includes the virus itself. Of course, such attachments should not be opened.

If the message is opened in an unpatched version of Microsoft Outlook or Outlook Express, the attachment may be automatically executed. Information about this vulnerability and a patch are available at

http://www./technet/security/bulletin/MS01-020.asp

The worm also infects executables by creating a hidden copy of the original host file and then overwriting the original file with itself. The hidden copy is encrypted, but contains no viral data. The name of the hidden file is the same as the original file, but with a random extension.

The worm also drops the virus W32.Elkern.3587 as the file %System%\\wqk.exe and executes it.

Finally, the worm has a payload. On the 6th of every odd numbered month (except January or July), the worm attempts to overwrite with zeroes files that have the extensions .txt, .htm, .html, .wab, .doc, .xls, .jpg, .cpp, .c, .pas, .mpg, .mpeg, .bak, or .mp3. If the month is January or July, this payload attempts to overwrite all files with zeroes, not just those with the aforementioned extensions.

建议

赛门铁克安全响应中心建议所有用户和管理员遵循以下基本安全“最佳实践”：

* 禁用并删除不需要的服务。 默认情况下，许多操作系统会安装不必要的辅助服务，如 FTP 服务器、telnet 和 Web 服务器。这些服务可能会成为攻击所利用的途径。 如果将这些服务删除，混合型威胁的攻击途径会大为减少，同时您的维护工作也会减少，只通过补丁程序更新即可完成。

* 如果混合型威胁攻击了一个或多个网络服务，则在应用补丁程序之前，请禁用或禁止访问这些服务。

* 始终安装最新的补丁程序，尤其是那些提供公共服务而且可以通过防火墙访问的计算机，如 HTTP、FTP、邮件和 DNS 服务（例如，所有基于 Windows 的计算机上都应该安装最新的 Service Pack）。. 另外，对于本文中、可靠的安全公告或供应商网站上公布的安全更新，也要及时应用。

* 强制执行密码策略。 复杂的密码使得受感染计算机上的密码文件难以破解。这样会在计算机被感染时防止或减轻造成的损害。

* 配置电子邮件服务器以禁止或删除带有 vbs、.bat、.exe、.pif 和 .scr 等附件的邮件，这些文件常用于传播病毒。

* 迅速隔离受感染的计算机，防止其对企业造成进一步危害。 执行取证分析并使用可靠的介质恢复计算机。

* 教育员工不要打开意外收到的附件。 并且只在进行病毒扫描后才执行从互联网下载的软件。如果未对某些浏览器漏洞应用补丁程序，那么访问受感染的网站也会造成病毒感染。

Norton AntiVirus has been able to detect W32.Klez.E@mm since January 17, 2002. If you have current definitions and have a current version of Norton AntiVirus set as recommended (to scan all files), W32.Klez.E@mm will be detected if it attempts to activate. If you simply suspect that the (inactivated) file resides on the computer, run LiveUpdate to make sure that you have current definitions, and then run a full system scan.

If W32.Klez.E@mm has activated, in most cases you will not be able to start Norton AntiVirus. Once this worm has executed, it can be difficult and time consuming to remove. The procedure that you must use to do this varies with the operating system. Please read and follow all instructions for your operating system.

Removal tool

Symantec has provided a tool to remove infections of all known variants of W32.Klez and W32.ElKern. Click here to obtain the tool.

This is the easiest way to remove these threats and should be tried first.

Note on W32.Klez.gen@mm detections:

W32.Klez.gen@mm is a generic detection that detects variants of W32.Klez. Computers that are infected with W32.Klez.gen@mm have most likely been exposed to either W32.Klez.E@mm or W32.Klez.H@mm. If your computer is detected as infected with W32.Klez.gen@mm, download and run the tool. In most cases, the tool will be able to remove the infection.

Manual removal procedure for Windows 95/98/Me

Follow the instructions in the order shown. Do not skip any steps. This procedure has been tested and will work in most cases.

NOTE: Due to the damage that can be done by this worm, and depending on how many times the worm has executed, the process may not work in all cases. If it does not, you may need to obtain the services of a computer consultant.

1. Download virus definitions

Download the definitions using the Intelligent Updater. Save the file to the Windows desktop. This is a necessary first step to make sure that you have current definitions available later in the removal process. Intelligent Updater virus definitions are available at

http://securityresponse./avcenter/defs.download.html

For detailed instructions on how to download and install the Intelligent Updater virus definitions from the Symantec Security Response Web site, read the document How to update virus definition files using the Intelligent Updater.

2. Restart the computer in Safe mode

You must do this as the first step. For instructions, read the document How to restart Windows 9x or Windows Me in Safe mode.

3. Edit the registry

You must edit the key HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Current Version\\Run and remove the wink???.exe value after you write down the exact name of the wink file.

CAUTION: We strongly recommend that you back up the system registry before you make any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure that you modify only the keys that are specified. Please see the document How to back up the Windows registry before you proceed.

1. Click Start, and click Run. The Run dialog box appears.

2. Type regedit and then click OK. The Registry Editor opens.

3. Navigate to the following key:

HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run

4. In the right pane, look for the following values:

Wink[random characters] %System%\\Wink[random characters].exe

WQK %System%\\Wqk.exe

5. Write down the exact file name of the Wink[random characters].exe file

6. Delete the Wink[random characters] value and the WQK value (if it exists).

7. Navigate to and expand the following key:

HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services

8. In the left pane, under the \\Services key, look for the following subkey, and delete it if it exists:

\\Wink[random characters]

NOTE: This probably will not exist on Windows 95/98/Me-based computers, but you should check for it anyway.

9. Click Registry, and click Exit.

4. Delete the actual Wink[random characters] file

Using Windows Explorer, open the C:\\Windows\\System folder and locate the Wink[random characters].exe file. (Depending on your system settings, the .exe extension may not be displayed.)

NOTE: If you have Windows installed to a location other than C:\\Windows, make the appropriate substitution.

5. Empty the recycle bin

Right-click the Recycle bin on the Windows desktop, and click Empty Recycle Bin.

6. Run the Intelligent Updater

Double-click the file that you downloaded in Step 1. Click Yes or OK if prompted.

7. Restart the computer

Shut down the computer, and turn off the power. Wait 30 seconds, and then restart it. Allow it to start normally. If any files are detected as infected, Quarantine them. Some of the files that you may find are Luall.exe, Rescue32.exe, and Nmain.exe.

8. Scan with Norton AntiVirus (NAV) from a command line

Because some NAV files were damaged by the worm, you must scan from a command line.

1. Click Start, and click Run.

2. Type--or copy and paste--the following, and then click OK:

NAVW32.EXE /L /VISIBLE

3. Allow the scan to run. Quarantine any additional files that are detected.

9. Restart the computer

Allow it to start normally.

10. Reinstall NAV

NOTE: If you are using NAV 2002 on Windows XP, this may not be possible on all systems. You can, however, try the following: Open the Control Panel, double-click Administrative Tools, and then double-click Services. In the list, select Windows Installer. Click Action and then click Start.

Follow the instructions in the document How to restore Norton AntiVirus after removing a virus to reinstall NAV.

11. Restart the computer and scan again

1. Shut down the computer, and turn off the power. Wait 30 seconds and then restart it.

CAUTION: This step is very important. Reinfection will occur if this is not followed.

2. Run LiveUpdate and download the most current virus definitions.

3. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files.

4. Run a full system scan. Quarantine any files that are detected as infected by W32.Klez.E@mm or W32.Klez.gen@mm.

Manual removal procedure for Windows 2000/XP

1. Download virus definitions

Download the definitions using the Intelligent Updater. Save the file to the Windows desktop. This is a necessary first step to make sure that you have current definitions available later in the removal process. Intelligent Updater virus definitions are available at

http://securityresponse./avcenter/defs.download.html

For detailed instructions on how to download and install the Intelligent Updater virus definitions from the Symantec Security Response Web site, read the document How to update virus definition files using the Intelligent Updater.

2. Restart the computer in Safe mode

You must do this as the first step. All Windows 32-bit operating systems except Windows NT can be restarted in Safe mode. Read the document for your operating system.

* How to start Windows XP in Safe mode

* How to start Windows 2000 in Safe mode

3. Edit the registry

You must edit the key HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services and remove the wink[random characters].exe subkey after you write down the exact name of the wink file.

CAUTION: We strongly recommend that you back up the system registry before you make any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure that you modify only the keys that are specified. Please see the document How to back up the Windows registry before you proceed.

1. Click Start, and click Run. The Run dialog box appears.

2. Type regedit and then click OK. The Registry Editor opens.

3. Navigate to the following key:

HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services

4. In the left pane, under the \\Services key, look for the following subkey:

\\Wink[random characters]

5. Write down the exact file name of the Wink[random characters].exe file

6. Delete the Wink[random characters] subkey.

7. Navigate to the following key:

HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run

8. In the right pane, look for the following values, and delete them if they exist:

Wink[random characters] %System%\\Wink[random characters].exe

WQK %System%\\Wqk.exe

NOTE: They probably will not exist on Windows 2000/XP-based computers, but you should check for them anyway.

9. Click Registry, and click Exit.

4. Configure Windows to show all files

Do not skip this step.

1. Start Windows Explorer.

2. Click the Tools menu, and click "Folder options."

3. Click the View tab.

4. Uncheck "Hide file extensions for known file types."

5. Uncheck "Hide protected operating system files," and under the "Hidden files" folder, click "Show hidden files and folders."

6. Click Apply, and then click OK.

5. Delete the actual Wink[random characters] file

Using Windows Explorer, open the C:\\Winnt\\System folder and locate the Wink[random characters].exe file. (Depending on your system settings, the .exe extension may not be displayed.)

NOTE: If you have Windows installed to a location other than C:\\Windows, make the appropriate substitution.

6. Empty the recycle bin

Right-click the Recycle bin on the Windows desktop, and click Empty Recycle Bin.

7. Run the Intelligent Updater

Double-click the file that you downloaded in Step 1. Click Yes or OK if you are prompted.

8. Restart the computer

Shut down the computer, and turn off the power. Wait 30 seconds, and then restart it.

CAUTION: This step is very important. Reinfection will occur if this is not followed.

Allow the computer to start normally. If any files are detected as infected by W32.Klez.E@mm or W32.Klez.gen@mm, Quarantine them. Some of the files that you may find are Luall.exe, Rescue32.exe, and Nmain.exe.

9. Scan with Norton AntiVirus (NAV) from a command line

Because some NAV files were damaged by the worm, you must scan from the command line.

NOTE: These instructions are only for consumer versions of NAV. The file Navw32.exe is not part of Enterprise versions of NAV such as NAVCE. The NAVCE command-line scanner, Vpscan.exe, will not remove the worm.

1. Click Start, and click Run.

2. Type--or copy and paste--the following, and then click OK:

NAVW32.EXE /L /VISIBLE

3. Allow the scan to run. Quarantine any additional files that are detected.

10. Reinstall NAV

NOTE: If you are using NAV 2002 on Windows XP, this may not be possible on all systems. You can, however, try the following: Open the Control Panel, double-click Administrative Tools, and then double-click Services. In the list, select Windows Installer. Click Action, and then click Start.

Follow the instructions in the document How to restore Norton AntiVirus after removing a virus to reinstall NAV.

11. Restart the computer and scan again

1. Shut down the computer, and turn off the power. Wait 30 seconds and then restart it.

CAUTION: This step is very important. Reinfection will occur if this is not followed.

2. Run LiveUpdate and download the most current virus definitions.

3. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files.

4. Run a full system scan. Quarantine any files that are detected as infected by W32.Klez.H@mm or W32.Klez.gen@mm.

描述者： Atli Gudmundsson