Automated PC Solutions       VACM - Virus Alerts for the Common Man VACM Home APCS Home Links      Contact APCS "get it" links:         #1 AntiSpyware #1 AntiVirus   #1 Personal Firewall

Klez Worm, Elkern Virus

In this issue:
------------------------------------
- Klez Worm, Elkern Virus

***************************************************
* The Bottom Line
***************************************************
The Klez email worm infects your system with the Elkern virus,
and sends itself to everyone in your address book.

The Klez worm and Elkern Virus arrives as an email with a random
attachment name.  The email subject varies widely but are
typically one of the following:

       Hi
       Hello
       How are you?
       Can you help me?
       We want peace
       Where will you go?
       Congratulations!!!
       Don't cry
       Look at the pretty
       Some advice on your shortcoming
       Free XXX Pictures
       A free hot porn site
       Why don't you reply to me?
       How about have dinner with me together?
       Never kiss a stranger

There is no text in the body of the message... just a random
attachment.

Klez is a mass-mailer worm which drops a polymporphic EXE virus
called ElKern onto your Windows system.  If your PC is part of a
local network, Klez will also infect all other machines on your
local network.

The Klez worm copies itself to root directories of local and
network drives with a random name and with double extension, such
as ".TXT.EXE".  If you have disabled hiding of file extensions as
detailed at the VACM Archives page, you will be able to see
file(s) ending in ".Txt.Exe" on your system.

The Klez worm takes advantage of an Internet Explorer vulnerability to
automatically execute on systems running unpatched versions of
Microsoft® Internet Explorer versions 5.01 and 5.5.

***************************************************
* What You Should Do...
***************************************************
Even if you do not use Internet Explorer, it is installed on your
system and should be updated with the appropriate patch from
Microsoft.  

Users of Outlook, Outlook Express and Netscape should change their
email settings to disallow running of JavaScript and ActiveX code.

Update your browser:
----------------------------
IE Browser patches from Microsoft are available at:
  IE Patch from Microsoft

Settings for Outlook, Outlook Express and Netscape:
--------------------------------------------------------
To make sure your email client does not allow scripts and ActiveX
controls to run, follow the instructions in the following VACM
articles:

Remove Windows Scripting Host
  How To Remove Windows Scripting Host

Disable Java and ActiveX in email:
  How To Disable Java/ActiveX in your Email

***************************************************
* Klez worm and Elkern virus removal tool...
***************************************************
A utility from F-Secure will disinfect both the Klez worm
and the Elkern virus.

We have made the utility available for download from our
server at:
  Klez/ElKern Removal Tool

Best Regards,
Marc Deschenes, VACM Editor
The VACM Project at
Automated PC Solutions

*** Be sure to check out the appendix at the end of this alert if you are having trouble booting your computer into "Safe Mode". The process is all spelled out for you there.   Why should you be very concerned about Spyware? Learn how to avoid Identity Theft and Windows corruption in this free VACM Video:      VACM-tested #1 AntiSpyware Software How did they steal my Identity? Why do I get so much SPAM ? Why is your computer running so slow ? Today, every PC needs just a few protection softwares. Find out what and why. Visit our Links Page to avoid Indentiry Theft and costly computer repairs.    VACM Links to Protection Tools and Softwares Keep your PC Safe and Avoid a costly trip to the shop... with these VACM approved tools. You need 3 things to protect your PC(s) automatically. Use these links to go directly to the Download and Purchase pages: the best AntiSpyware product the best Firewall product the best AntiVirus product           Old Shotgun Shell Boxes are collector's items and worth good money!  (yes... just the empty boxes) get your   ShotShell BlueBook price guide now.     To cancel your subscription to VACM, reply to this email with the word UNSUBSCRIBE in the subject. If you click on the link below, the "unsubscribe" email will be created for you and you can simply hit "Send" in you email program: Create My Unsubscribe Email IMPORTANT: please include the email address at which you are currently receiving VACM Alerts in the body of the message.     ******** APPENDIX - Handy How-To Tips **********   * How To Boot into Safe Mode Shut the computer down so that the power is off. Turn the computer on, wait 1 second and begin pressing the F8 key on the keyboard, once every second repeatedly. Do this until the Windows Startup Menu appears. If you get a keyboard error, press F1 to resume and then continue pressing the F8 key once every second, or your PC may tell you to press another key for BIOS setup. Select Safe Mode from the Windows Startup Menu, then press the Enter key on the keyboard. Windows will then boot into Safe Mode. NOTE: This may take longer than a normal boot. At the end of the boot process a dialog box will appear informing you that Windows is in Safe Mode. Click OK on this dialog box. Windows is now in Safe Mode. If you miss hitting the F8 at the right time, Windows will boot normally and you will not see the "Safe Mode" message.  In this case, start from the top of these instructions until you get the boot menu screen where you can choose "Safe Mode".  This can be a little tricky the first time you do it.