Information and Fix for The Klez Virus
Klez is an email virus that became 'popular' in April of 2002.
It exploits a vulnerability in Internet Explorer that was
patched back in April of last year. Even though it was
'patched' the exploit is functional and usually succeeds
unless you have completely disabled the features that it
relies on. The best thing you can do is have Norton Anti-Virus
(NAV) delete all the infected emails, and set your IE security
appropriately.
I do not suggest using McAfee as it is incapable of reliably
detecting viruses in files I KNOW are infected (call me sick
- I keep copies of viruses for this purpose).
A free tool to scan your system for the virus (and remove it
if infected) is available here: SARC
More information about your infection here: SARC
After you have been disinfected you should set your security
appropriately to prevent future infections by this virus. It
*can* bypass your antivirus program (if you run one) and it
is entirely possible other viruses will exploit this
vulnerability in the future as well.
Here's how to set your security appropriately:
* Open Internet Explorer
> Open the Tools menu
> Internet Options
> Security
> {Internet Zone}
> [Custom Level]
> -Miscellaneous
> [X] DISABLE Launching programs and files in an IFRAME
> [OK]
Then, for each other 'Zone' DISABLE *every* feature under
[Custom Level] and set 'Submit Non-Encrypted Form Data' to
'Prompt', and 'User Authentication/Logon' to 'Prompt for
user name and password' - that way you know when an
application or webpage is sending information either through
your email client or an html file you open locally. If you
are using Internet Explorer 6 you may want to set the "Allow
META refresh" to Enable. There are a number of sites that
incorrectly rely on this client-side function.
This level of security MAY prevent certain inTRAnet
functionality from performing, but relatively few people
require an inTRAnet setup anyway. Since it is probably not
necessary for you to enable that functionality, it poses you
only a threat to your security and can readily be reset to
[Default Level] should you later determine that those
'features' are required. If _anything_ is important on the
inTRAnet tab, you'll want to set 'Drag And Drop or Copy &
Paste Files' to ENABLE. This will allow you to copy files
with drag & drop in Windows Explorer across shares on your
network - but you should only set this if you actually HAVE
a network.
Also, anytime you Upgrade or Patch your Browser it will be
necessary to verify these settings are still in effect.
Generally they are reset to default (thank you Bill for
keeping us on our toes!), which makes it difficult to
maintain your security.
This virus is *nasty* to say the least. Hopefully you haven't
been hit by the worst parts of it yet - which are the
downloading of trojans to your system that can be used to
remote control your computer across the internet (usually
through IRC), and erasure of everything on your system.
I wouldn't be much of a security guy if I encouraged you to
download and run something without first verifying my story.
Feel free. In any case - if you *are* infected - you should
act fast before you risk spreading it any further.
Other virus information:
https://ReliableAnswers.com/virus/
