Damage:
Payload: This worm infects executables by creating a hidden copy of the original host file and then
overwriting the original file with itself. The hidden copy is encrypted, but contains no viral data. The
name of the hidden file is the same as the original file, but with a random extension.
Large scale e-mailing: This worm searches the Windows address book, the ICQ database,
and local files for email addresses. The worm sends an email message to these addresses
with itself as an attachment.

• Anti-Vir.dat
• Chklist.dat
• Chklist.ms
• Chklist.cps
• Chklist.tav
• Ivb.ntz
• Smartchk.ms
• Smartchk.cps
• Avgqt.dat
• Aguard.dat
  

• A random file name that has a double extension. For example, Filename.txt.exe.
• A .rar archive that has a double extension. For example, Filename.txt.rar.

Email:
This worm searches the Windows address book, the ICQ database, and local files for email addresses. The worm sends an email message to these addresses with itself as an attachment. The worm contains its own SMTP engine and attempts to guess at available SMTP servers.

The subject line, message bodies, and attachment file names are random. The From address is randomly-chosen from email addresses that the worm finds on the infected computer.

The worm will search files that have the following extensions for email addresses:

The email message that this worms sends is composed of "random" strings. The subject can be one of the following:

The random word will be one of the following:

RECOMMENDATION

Symantec Security Response offers these suggestions on how to configure Symantec products in order to minimize your exposure to this threat.

Gateway

Norton AntiVirus for Gateways (SMTP) Block incoming attachments with .bat, .exe, .pif and .scr extensions

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

• Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP client, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
• If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

If W32.Klez.H@mm has activated, in most cases you will not be able to start Norton AntiVirus. Once this worm has executed, it can be difficult and time consuming to remove. The procedure that you must use to do this varies with the operating system. Please read and follow all instructions for your operating system.

Manual removal procedure for Windows 95/98/Me

Follow the instructions in the order shown. Do not skip any steps. This procedure has been tested and will work in most cases.

NOTE: Due to the damage that can be done by this worm, and depending on how many times the worm has executed, the process may not work in all cases. If it does not, you may need to obtain the services of a computer consultant.

1. Download virus definitions
Download the definitions using the Intelligent Updater. Save the file to the Windows desktop. This is a necessary first step to make sure that you have current definitions available later in the removal process. Intelligent Updater virus definitions are available at

http://securityresponse.symantec.com/avcenter/defs.download.html

For detailed instructions on how to download and install the Intelligent Updater virus definitions from the Symantec Security Response Web site, read the document How to update virus definition files using the Intelligent Updater.

2. Restart the computer in Safe mode

1. Shut down the computer and turn off the power. Wait thirty seconds. Do not skip this step.
2. Restart the computer in Safe mode. For instructions, read the document How to restart Windows 9x or Windows Me in Safe mode.

1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the following key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

4. In the right pane, look for the following values:

Wink[random characters] %System%\Wink[random characters].exe
WQK %System%\Wqk.exe

5. Write down the exact file name of the Wink[random characters].exe file
6. Delete the Wink[random characters] value and the WQK value (if it exists).
7. Navigate to and expand the following key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services

8. In the left pane, under the \Services key, look for the following subkey, and delete it, if it exists:

\Wink[random characters]

NOTE: This probably will not exist on Windows 95/98/Me-based computers, but you should check for it anyway.

9. Click Registry, and click Exit.

1. Click Start, and click Run.
2. Type--or copy and paste--the following, and then click OK:

NAVW32.EXE /L /VISIBLE

3. Allow the scan to run. Quarantine any additional files that are detected.

1. Reinstall NAV from the installation CD.
2. Start NAV, and make sure that it is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files.
3. Run a full system scan. Quarantine any files that are detected as infected.

1. Shut down the computer and turn off the power. Wait thirty seconds. Do not skip this step.
2. You must do this as the first step. All Windows 32-bit operating systems except Windows NT can be restarted in Safe mode. Read the document for your operating system.
• How to start Windows XP in Safe mode
• How to start Windows 2000 in Safe mode

1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the following key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services

4. In the left pane, under the \Services key, look for the following subkey:

\Wink[random characters]

5. Write down the exact file name of the Wink[random characters].exe file
6. Delete the Wink[random characters] subkey.
7. Navigate to the following key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

8. In the right pane, look for the following values, and delete them if they exist:

Wink[random characters] %System%\Wink[random characters].exe
WQK %System%\Wqk.exe

NOTE: They probably will not exist on Windows 2000/XP-based computers, but you should check for them anyway.

9. Click Registry, and click Exit.

1. Start Windows Explorer.
2. Click the Tools menu, and click "Folder options."
3. Click the View tab.
4. Uncheck "Hide file extensions for known file types."
5. Uncheck "Hide protected operating system files," and under the "Hidden files" folder, click "Show hidden files and folders."
6. Click Apply, and then click OK.

1. Reinstall NAV from the installation CD.
2. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files.
3. Run a full system scan. Quarantine any files that are detected as infected.