1. Symantec/
  2. Security Response/
  3. W32.Klez.E@mm

W32.Klez.E@mm - Removal

Risk Level 2: Low

Discovered:
January 17, 2002
Updated:
February 13, 2007 11:53:18 AM
Also Known As:
W32/Klez.e@MM [McAfee], WORM_KLEZ.E [Trend], Klez.E [F-Secure], W32/Klez-E [Sophos], Win32.Klez.E [CA], I-Worm.Klez.E [AVP]
Type:
Worm, Virus
Systems Affected:
Windows
CVE References:
CVE-2001-0154

Norton AntiVirus has been able to detect W32.Klez.E@mm since January 17, 2002. If you have current definitions and have a current version of Norton AntiVirus set as recommended (to scan all files), W32.Klez.E@mm will be detected if it attempts to activate. If you simply suspect that the (inactivated) file resides on the computer, run LiveUpdate to make sure that you have current definitions, and then run a full system scan.

If W32.Klez.E@mm has activated, in most cases you will not be able to start Norton AntiVirus. Once this worm has executed, it can be difficult and time consuming to remove. The procedure that you must use to do this varies with the operating system. Please read and follow all instructions for your operating system.

Removal tool

Symantec has provided a tool to remove infections of all known variants of W32.Klez and W32.ElKern. Click here to obtain the tool.
This is the easiest way to remove these threats and should be tried first.

Note on W32.Klez.gen@mm detections:
W32.Klez.gen@mm is a generic detection that detects variants of W32.Klez. Computers that are infected with W32.Klez.gen@mm have most likely been exposed to either W32.Klez.E@mm or W32.Klez.H@mm. If your computer is detected as infected with W32.Klez.gen@mm, download and run the tool. In most cases, the tool will be able to remove the infection.

Manual removal procedure for Windows 95/98/Me

Follow the instructions in the order shown. Do not skip any steps. This procedure has been tested and will work in most cases.

NOTE: Due to the damage that can be done by this worm, and depending on how many times the worm has executed, the process may not work in all cases. If it does not, you may need to obtain the services of a computer consultant.

1. Download virus definitions
Download the definitions using the Intelligent Updater. Save the file to the Windows desktop. This is a necessary first step to make sure that you have current definitions available later in the removal process. Intelligent Updater virus definitions are available at

http://securityresponse.symantec.com/avcenter/defs.download.html

For detailed instructions on how to download and install the Intelligent Updater virus definitions from the Symantec Security Response Web site, read the document How to update virus definition files using the Intelligent Updater.

2. Restart the computer in Safe mode
You must do this as the first step. For instructions, read the document How to restart Windows 9x or Windows Me in Safe mode.

3. Edit the registry
You must edit the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run and remove the wink???.exe value after you write down the exact name of the wink file.

CAUTION: We strongly recommend that you back up the system registry before you make any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure that you modify only the keys that are specified. Please see the document How to back up the Windows registry before you proceed.
  1. Click Start, and click Run. The Run dialog box appears.
  2. Type regedit and then click OK. The Registry Editor opens.
  3. Navigate to the following key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  4. In the right pane, look for the following values:

    Wink[random characters] %System%\Wink[random characters].exe
    WQK %System%\Wqk.exe

  5. Write down the exact file name of the Wink[random characters].exe file
  6. Delete the Wink[random characters] value and the WQK value (if it exists).
  7. Navigate to and expand the following key:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
  8. In the left pane, under the \Services key, look for the following subkey, and delete it if it exists:

    \Wink[random characters]

    NOTE: This probably will not exist on Windows 95/98/Me-based computers, but you should check for it anyway.
  9. Click Registry, and click Exit.

4. Delete the actual Wink[random characters] file
Using Windows Explorer, open the C:\Windows\System folder and locate the Wink[random characters].exe file. (Depending on your system settings, the .exe extension may not be displayed.)

NOTE: If you have Windows installed to a location other than C:\Windows, make the appropriate substitution.

5. Empty the recycle bin
Right-click the Recycle bin on the Windows desktop, and click Empty Recycle Bin.

6. Run the Intelligent Updater
Double-click the file that you downloaded in Step 1. Click Yes or OK if prompted.

7. Restart the computer
Shut down the computer, and turn off the power. Wait 30 seconds, and then restart it. Allow it to start normally. If any files are detected as infected, Quarantine them. Some of the files that you may find are Luall.exe, Rescue32.exe, and Nmain.exe.

8. Scan with Norton AntiVirus (NAV) from a command line
Because some NAV files were damaged by the worm, you must scan from a command line.
  1. Click Start, and click Run.
  2. Type--or copy and paste--the following, and then click OK:

    NAVW32.EXE /L /VISIBLE
  3. Allow the scan to run. Quarantine any additional files that are detected.

9. Restart the computer
Allow it to start normally.

10. Reinstall NAV

NOTE:
If you are using NAV 2002 on Windows XP, this may not be possible on all systems. You can, however, try the following: Open the Control Panel, double-click Administrative Tools, and then double-click Services. In the list, select Windows Installer. Click Action and then click Start.

Follow the instructions in the document How to restore Norton AntiVirus after removing a virus to reinstall NAV.

11. Restart the computer and scan again
  1. Shut down the computer, and turn off the power. Wait 30 seconds and then restart it.

    CAUTION: This step is very important. Reinfection will occur if this is not followed.
  2. Run LiveUpdate and download the most current virus definitions.
  3. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files.
  4. Run a full system scan. Quarantine any files that are detected as infected by W32.Klez.E@mm or W32.Klez.gen@mm.

Manual removal procedure for Windows 2000/XP

1. Download virus definitions
Download the definitions using the Intelligent Updater. Save the file to the Windows desktop. This is a necessary first step to make sure that you have current definitions available later in the removal process. Intelligent Updater virus definitions are available at

http://securityresponse.symantec.com/avcenter/defs.download.html

For detailed instructions on how to download and install the Intelligent Updater virus definitions from the Symantec Security Response Web site, read the document How to update virus definition files using the Intelligent Updater.

2. Restart the computer in Safe mode
You must do this as the first step. All Windows 32-bit operating systems except Windows NT can be restarted in Safe mode. Read the document for your operating system.
3. Edit the registry
You must edit the key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services and remove the wink[random characters].exe subkey after you write down the exact name of the wink file.

CAUTION: We strongly recommend that you back up the system registry before you make any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure that you modify only the keys that are specified. Please see the document How to back up the Windows registry before you proceed.
  1. Click Start, and click Run. The Run dialog box appears.
  2. Type regedit and then click OK. The Registry Editor opens.
  3. Navigate to the following key:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
  4. In the left pane, under the \Services key, look for the following subkey:

    \Wink[random characters]

  5. Write down the exact file name of the Wink[random characters].exe file
  6. Delete the Wink[random characters] subkey.
  7. Navigate to the following key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  8. In the right pane, look for the following values, and delete them if they exist:

    Wink[random characters] %System%\Wink[random characters].exe
    WQK %System%\Wqk.exe

    NOTE: They probably will not exist on Windows 2000/XP-based computers, but you should check for them anyway.
  9. Click Registry, and click Exit.

4. Configure Windows to show all files
Do not skip this step.
  1. Start Windows Explorer.
  2. Click the Tools menu, and click "Folder options."
  3. Click the View tab.
  4. Uncheck "Hide file extensions for known file types."
  5. Uncheck "Hide protected operating system files," and under the "Hidden files" folder, click "Show hidden files and folders."
  6. Click Apply, and then click OK.

5. Delete the actual Wink[random characters] file
Using Windows Explorer, open the C:\Winnt\System folder and locate the Wink[random characters].exe file. (Depending on your system settings, the .exe extension may not be displayed.)

NOTE: If you have Windows installed to a location other than C:\Windows, make the appropriate substitution.

6. Empty the recycle bin
Right-click the Recycle bin on the Windows desktop, and click Empty Recycle Bin.

7. Run the Intelligent Updater
Double-click the file that you downloaded in Step 1. Click Yes or OK if you are prompted.

8. Restart the computer
Shut down the computer, and turn off the power. Wait 30 seconds, and then restart it.

CAUTION: This step is very important. Reinfection will occur if this is not followed.

Allow the computer to start normally. If any files are detected as infected by W32.Klez.E@mm or W32.Klez.gen@mm, Quarantine them. Some of the files that you may find are Luall.exe, Rescue32.exe, and Nmain.exe.

9. Scan with Norton AntiVirus (NAV) from a command line
Because some NAV files were damaged by the worm, you must scan from the command line.

NOTE: These instructions are only for consumer versions of NAV. The file Navw32.exe is not part of Enterprise versions of NAV such as NAVCE. The NAVCE command-line scanner, Vpscan.exe, will not remove the worm.
  1. Click Start, and click Run.
  2. Type--or copy and paste--the following, and then click OK:

    NAVW32.EXE /L /VISIBLE
  3. Allow the scan to run. Quarantine any additional files that are detected.

10. Reinstall NAV

NOTE:
If you are using NAV 2002 on Windows XP, this may not be possible on all systems. You can, however, try the following: Open the Control Panel, double-click Administrative Tools, and then double-click Services. In the list, select Windows Installer. Click Action, and then click Start.

Follow the instructions in the document How to restore Norton AntiVirus after removing a virus to reinstall NAV.

11. Restart the computer and scan again
  1. Shut down the computer, and turn off the power. Wait 30 seconds and then restart it.

    CAUTION: This step is very important. Reinfection will occur if this is not followed.
  2. Run LiveUpdate and download the most current virus definitions.
  3. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files.
  4. Run a full system scan. Quarantine any files that are detected as infected by W32.Klez.H@mm or W32.Klez.gen@mm.


Writeup By: Atli Gudmundsson

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube