W32.Klez Removal Guide

Description:     This memory-resident variant of the WORM_KLEZ.A mass-mailing worm uses SMTP to propagate via email. The subject line of the email it arrives with is randomly selected from a list of possible choices.

Removal Solution:
  1. Print this page or write down the order of events so that you can follow the instructions completely. Otherwise you will probably not remove the virus from your system entirely and it will re-infect your system immediately after finishing all this!!!!

  2. Download Norton's Klez removal tool either from Norton:   Norton Klez Removal Tool
    or you can get a copy of the tool from our local FTP:     ECSIS Copy of Removal tool

    Note where you download/save the removal tool (c:\temp, c:\windows\desktop, etc) as you will require this information in below to actually run the removal tool.

  3. Disconnect from the internet and disconnect your modem or network connection so that the virus cannot reconnect while you are doing the removal. (unplug phone cord from modem or unplug network cable from system unit or where it connects to your network)

  4. Open your Mail program and empty the Inbox of any item that contains an attachment or appears in any way suspecious. Then empty the Deleted Items folder. If there are any items in your INBOX with the virus your system will immediately be re-infected after you complete this procedure and you will have to start all over again. (safe thing is to empty the inbox, and then the deleted items folder).

  5. Exit all programs and Restart your system into SAFE MODE

  6. Once in Safe Mode Execute/Run the removal UNTIL it reports there are no viruses found. (You may have to run it several times until the message "No viruses Found" is displayed when you run the removal tool).

  7. Restart your computer into Regular Mode (the way you normally use it) - but still disconnected from the phone line or network.

  8. Run the removal tool again and verify that it gives the message: "No viruses were Found". (IF not, reboot into Safe Mode and go through the removal again).

  9. Re-connect your modem or your network connection.

  10. Please install a good anti-virus software package (see ECSIS.NET Virus Page for several options; or if you have an anti-virus package, please update the Virus Definitions file for that package

  11. Since this worm uses a vulnerability in HTTP-based email clients like Microsoft Outlook and Outlook Express, please visit Microsoft Updates and apply any security or system updates available for your system - particularly Internet Explorer, Outlook , or Outlook Express .