**************************************************************************** FIX_KLEZ version 4.21 (7/19/2002) Trend Micro, Inc. http://www.trendmicro.com **************************************************************************** I. Description This tool package cleans systems infected with WORM_KLEZ (variants A, B, C, D, E, F, G, H, and I) and PE_ELKERN (variants A, B, C, and D). It supports the following features: o Terminate all WORM_KLEZ and PE_ELKERN instances from memory o Remove malware registry entries o Scan and clean local hard disk drives o Inoculate the system to prevent reinfection o Identify infected network shared drives II. File List o FIX_KLEZ.EXE - Fix tool for WORM_KLEZ and PE_ELKERN (version 4.21) o VSCANTM.BIN - Command line version of the Trend Micro virus scanner o VSAPI32.DLL - Component DLL of VSCANTM.BIN o BPMNT.DLL - Component DLL of VSCANTM.BIN o BPM95.DLL - Component DLL of VSCANTM.BIN o MEMBOOT.DLL - Component DLL of VSCANTM.BIN o LPT$VPN.001 - Pattern file o README_KLEZ.TXT - This file III. Requirements This tool is designed to run under Windows 9x/ME/NT/2000/XP. IV. Parameters The folder where this tool begins scanning. If unspecified, this tool scans all local hard disk drives. /P Prompt when cleaning files /M Memory scan only /N Network scanning mode (scan network shared folders instead) /? Display help information V. How to Use ** IMPORTANT NOTE ** Windows NT/2000/XP users must log in as Administrator or using an account with Administrative rights to be able to successfully clean the system. Also, Windows ME/XP users must follow the additional instructions to disable the System Restore feature. 1. Disconnect the system from the network to avoid reinfection while the tool runs. 2. Terminate all applications running in the system, including any antivirus software that may be installed, to avoid conflicts that may occur while the tool runs. 3. Extract the contents of this package to a temporary directory or folder. 4. Open Windows Explorer and navigate to the folder where you have extracted the fix package. Run the file, FIX_KLEZ.EXE. NOTE: Do NOT run FIX_KLEZ.EXE from the Command Prompt. COMMAND.COM or CMD.EXE might be infected. 5. Restart the system. 6. Enable all antivirus software and perform a manual scan to remove other viruses that may be present in the system. 7. Review the following log files generated by this tool in its current folder: o FIX_KLEZ.LOG - contains memory, registry and file scanning results, and also compressed file restoration results o DETECT.LOG - VScanTM log of files detected as infected o CLEAN.LOG - VScanTM log of cleaned files o CFAIL.LOG - VScanTM log of files that could not be cleaned VI. Additional Windows ME/XP Cleaning Instructions Windows Millennium Edition (ME) and Windows XP have a feature known as System Restore, which creates backups of certain files in the _Restore folder. The System Restore feature usually backs up files with EXE or COM extensions, which may include infected files and malware programs. Files in the _Restore folder are protected and can only be accessed using System Restore. This feature must be disabled first before Trend Micro antivirus can access and clean these files. The following procedure disables the System Restore feature: Windows ME 1. Right-click the My Computer icon on the desktop and click Properties. 2. Click the Performance tab. 3. Click the File System button. 4. Click the Troubleshooting tab. 5. Select Disable System Restore. 6. Click Apply>Close>Close. 7. When prompted to restart, click Yes. 8. Press F8 while the system restarts. 9. Choose Safe Mode then hit the Enter key. 10. After your system has restarted, continue with the scan/clean process. Files under the _Restore folder can now be deleted. 11. Re-enable System Restore by clearing Disable System Restore and restarting your system normally. Windows XP 1. Log on as Administrator. 2. Right-click the My Computer icon on the desktop and click Properties. 3. Click the System Restore tab. 4. Select Turn off System Restore. 5. Click Apply>Yes>OK. 6. Continue with the scan/clean process. Files under the _Restore folder can now be deleted. 7. Re-enable System Restore by clearing Turn off System Restore. VII. Compatibility This tool has been tested under the following platforms: Windows 9x Windows ME Windows NT 4.0 Workstation and Server Windows 2000 Professional and Server Windows XP VIII. Detailed Information on FIX_KLEZ.EXE This tool supports cleaning of WORM_KLEZ (variants A, B, C, D, E, F, G, H and I) and PE_ELKERN (variants A, B, C and D). o Scan and remove WORM_KLEZ and PE_ELKERN from memory o Remove the worm's registry entries a. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\run\ krn132 b. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\run\wqk c. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\run\WinSvc d. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\run\Wink* (where * is a random set of characters) Under Windows NT/2000: a. HKLM\SYSTEM\CurrentControlSet\Services\KernelSvc b. HKLM\SYSTEM\CurrentControlSet\Services\Krn132 c. HKLM\SYSTEM\CurrentControlSet\Services\Wink* (where * is a random set of characters) Under Windows 2000: a. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ Windows\AppInit_DLLs o Remove drop files a. %System%\KRNL32.EXE b. %System%\WINSVC.EXE c. %System%\WINK*.EXE (where * is any randomly selected characters and %Sytem% is the Windows system directory) Under Windows 9x/ME: a. %System%\WQK.EXE Under Windows 2000: a. %System%\WQK.DLL o Inoculate the system to prevent future infection a. Create a hidden folder named "%System%\KRN132.EXE" b. Create a hidden folder named "%System%\WQK.EXE" c. Create a hidden folder named "%System%\WQK.DLL" d. Create a hidden folder named "%System%\WINSVC.EXE" IX. Network Scanning Mode Network administrators can use this fix package to scan shared folders in a network. To select network scanning mode, use the "/N" option. The syntax for this mode is as follows: FIX_KLEZ /N [] The network path to be scanned. If unspecified, the tool scans all shared folders on all servers on all domains. The network path can have any of the following formats: ::\\\ :: ::\\ ::\\ \\\ \\ In addition, you can place wildcards (* or ?) anywhere in the network path. For example: TREND??::\\ph-*\My*Folder Note that Network Scanning Mode only scans for infected machines. To clean these machines, you need to run the tool locally on them. X. Additional Resources: For those who use Internet Explorer (IE) 5.01 and 5.5, download and install the security patch from Microsoft at: For more information about the WORM_KLEZ and the PE_ELKERN variants, visit the Trend Micro Virus Encyclopedia at: