As I mentioned to some of the lists earlier, a virus made its way through a
few of the yahoogroups lists I am on. A friend of mine who is a tech guy
passed this information along. This is not a virus scare. This is merely
info on how to protect your system better.

The Klez virus and its new strings are a real pain in the butt. It's really
quite clever in the way it replicates itself, and it's another of a line of
viruses where you're only susceptible if you have Outlook or Outlook Express
as your e-mail client.

It doesn't always broadcast as an attachment, either. One of the few forms
of Klez.e is embedded in a standard HTML message and runs automatically when
the "image" is displayed. Another string prompts Outlook to immediately ask
for download, rather than merely coming as a dormant attachment.

So you don't always have to download or run something to get a virus. Many
of the more damaging viruses, like Red Alert and Magi, come in through
unprotected ports on your computer, left open by some of Microsoft's
background services. Magi also has a string that runs through Active X, and
its three stages of damage and distribution are kinda interesting.

For the first 30 days, it does nothing. On Day 30, it deletes your CPL
(Control Panel) files. At 60 days, it cripples your desktop, making it
appear as though the icons run away from your mouse pointer. If left
unchecked for 90 days, the real fun starts. It overwrites a portion of your
boot sector, renames every other file to something lewd, deletes every 25th
file, and corrupts your registry.

Anyway, my point is that it's still always a good idea to check your
registry from time to time. Norton and McAfee are nice, but I don't like the
way either of them insists on running in the background, eating up resources
better spent elsewhere. McAfee is the better of the two, in my opinion, but
neither can be relied upon for total safety. Even if you update your
definitions religiously, it'll be a week or two before either will protect
you from a virus written today, y'know?

Symantec and McAfee's rundowns on the virus are misleading, especially when
it comes to removing it. This is why I tend to do these things by hand.

Klez is a registry driven virus that runs an executable from your
\WINDOWS\SYSTEM directory each time you start your computer. The EXE file in
your SYSTEM directory is randomly named, though it always has "win" at the
beginning. winblk.exe, winking.exe, winyhb.exe, and on and on and on.

If you're running a Windows OS (95 through XP), here's how to check to see
if you have it...

1 - Click Start, Run, type REGEDIT, and hit Enter.

2 - Navigate to the HKEY_LOCAL_MACHINE > SOFTWARE > MICROSOFT > WINDOWS >
CURRENT VERSION > RUN directory on the left to see the RUN key values on the
right.

3 - If you have the virus, you'll have a key to the file described above
(winking.exe, for example). If the entry is there, click on it and hit the
Delete key on your keyboard. It should be the last entry in that key list.

NOTE: Some strands of this virus monitor changes to the registry so that if
you delete the virus key, it will automatically replace it. Once deleted,
you can hit the F5 key to refresh the folder. If it has replaced itself,
don't worry. The steps to eliminate the virus will kill it.

The easiest way to positively eliminate the virus is in DOS. Depending on
your OS, you may have a Restart in MS-DOS Mode option in your shutdown menu.
Use it if you do. If you don't, you can reboot and hit the F8 key after the
post screen to bring up the boot option menu and choose Command Prompt Only
to get to a native DOS prompt.

The reason this is necessary is because the Klez executable will be active,
meaning you won't be able to edit or delete the file while Windows is
running. It technically starts itself as a Windows service, so it won't
appear in your Close Program dialog box either.

Anyway, shut down or boot into DOS and navigate to your \WINDOWS\SYSTEM
directory. On most machines the path is C:\ Windows\System. For those not
familiar with DOS, assuming your use the common path, the following commands
will get you to your System directory...

cd\
cd windows
cd system

Now run the following command...

dir /a:h

This will display all hidden files in the directory. There should only be a
few, and one of them will be the virus executable, which should be the only
EXE file listed. Again, we'll use winking.exe as our example.

This file will have attributes set to protect it from detection and
deletion. To remove those attributes, use the following command...

attrib -h -s -r winking.exe

With those attributes removed, you can now delete the file...

del winking.exe

Now the virus won't start with Windows. Reboot your machine and repeat the
steps above to check for and remove the registry entry. Reboot again to make
sure everything was done properly. If on this restart you no longer have the
registry key, then your system is no longer running the Klez virus.

Now, this doesn't mean you don't still have infected files. Although
innocuous, Klez can infect other executables on your machine. So it's a good
idea when all's said and done to update your virus definitions and do a
thorough scan, cleaning or removing any infected files found.

For Klez, it's important that you don't rely on your AV software to
eliminate the active virus. Always do it manually. As of today, neither
Norton Antivirus or McAfee successfully innoculate all 9 strings of the Klez
virus. In other words, it'll scan, it'll find files, it'll clean/remove them
for you, but it will not uniformly remove the SYSTEM file or the registry
entry. Depending on the string you have, it might fix things, but the manual
process is the only way to make sure.

I hope that this helps.
luv,
-Su