In this section

• Home
• Support
• Virus disinfection

• Global support information
• Contact support
• Knowledgebase
• Virus disinfection
• Downloads and updates
• Documentation
• Software lifecycle
• Send a sample

• Global Support Services
• Technical Support
• Professional Services
• Technical Training

Instructions for removing W32/ElKern-C and W32/Klez-H

W32/Klez-H is a Win32 worm that carries a compressed copy of the W32/ElKern-C virus, which it drops and executes when the worm is run. Detection for W32/Klez-G includes detection for W32/Klez-H and other variants. These notes can be used to disinfect the W32/Klez-E, -F, -G and -H variants and W32/ElKern-A, -B and -C.

W32/ElKern-C is an executable file virus that works only under Windows 98, Windows Me, Windows 2000 and Windows XP.

W32/Klez-H will corrupt any installation of Sophos Anti-Virus it finds, so it must be removed with DOS SWEEP or SAV32CLI before installing a new version.

Disconnecting from the network

Sophos recommends you to disconnect infected computers from the network so as to prevent the virus spreading further during preparations.

If you are disinfecting a Windows NT/2000/XP computer go to the Windows NT/2000/XP section.

Windows 95/98/Me

Disinfect using DOS SWEEP

• directly from the DOS folder on the Sophos Anti-Virus CD
• download it and extract it to a C:\Sophtemp folder
• if the virus has not corrupted your Sophos Anti-Virus installation you may use the copy of DOS SWEEP in C:\Program files\Sophos SWEEP.

You must disinfect in 16-bit (MS-DOS) mode, not at a command prompt ('DOS box').

• Windows 95/98. Restart the computer in MS-DOS mode. Select Start|Shut Down then select 'Restart the computer in DOS mode'.
• Windows Me. Create a startup disk and boot from that. Select Start|Settings|Control Panel. Click 'Add/Remove Programs', select the 'Startup Disk' tab and click 'Create Disk'. When you have created the startup disk, write-protect it and boot from it.

Go to the directory containing DOS SWEEP

• if you are running from a CD in drive E: type
  E:
  CD \DOS
• if you extracted the files to C:\Sophtemp type
  CD \
  CD SOPHTEMP
• if the copy of DOS SWEEP has survived in Program files\Sophos SWEEP use:
  CD \
  CD PROGRA~1
  CD SOPHOS~1

Then run DOS SWEEP

SWEEP C: -PB -DIPE -P=ELKLOGC.TXT

Your computer is scanned. Infected files are cleaned and a report is made. Corrupt files and worm files cannot be cleaned. They must be deleted.

SWEEP C: -PB -REMOVEF -P=KLEZLOGC.TXT

The log file KLEZLOGC.TXT is used to identify useful files.

Note: only remove W32/Klez or W32/ElKern files. Treat files infected by other viruses separately.

Repeat this process for any other hard drives, e.g. drive D:

SWEEP D: -PB -DIPE -P=ELKLOGD.TXT

and

SWEEP D: -PB -REMOVEF -P=KLEZLOGD.TXT

The deleted files should be restored from a clean backup or the original CD.

After disinfection restart the computer in Windows and go to the Recovery section below.

Windows NT/2000/XP

Remove W32/Klez on Windows NT/2000/XP with SAV32CLI.

• You can run SAV32CLI direct from the WIN32\I386\SAV32CLI folder on the Sophos Anti-Virus CD.
• Alternatively, use the SAV32CLI emergency download at sav32sfx.exe. On an uninfected Windows computer, run this file to extract the contents into a SAV32CLI folder on a medium that can be write-protected (e.g. a CD) then write-protect it (on a CD/R or CD/RW close the session).

Before running SAV32CLI you must ensure that W32/ElKern is not resident in memory. In Windows 2000 and Windows XP you should use Safe Mode. As W32/ElKern-C does not infect Windows NT files you can use a command prompt.

• Windows NT. Shut down all programs. Go to Start|Run and type Command.
• Windows 2000. Go to Start|Shut Down, select Restart from the drop down list and click OK. Windows restarts.
  Press F8 when you see this text at the bottom of the screen "For troubleshooting and advanced startup options for Windows 2000, press F8". In the Windows 2000 Advanced Options Menu select the top option 'Safe Mode'. When requested, logon as local administrator.
  When Safe Mode has started select Start|Settings|Control Panel|Administrative Tools and double-click Services. Among the Services you will see one called Wink*, where * represents random characters. If it is running, use the Stop button to shut down this Wink* service. Close all windows.
  Go to Start|Run and type Command.
• Windows XP. Go to Start|Shut Down, select Restart from the drop down list and click OK. Windows restarts.
  Press F8 repeatedly as the computer boots up to get to the Windows Advanced Options Menu. Select the top option 'Safe Mode', then select Windows XP. When requested, logon as local administrator.
  When Safe Mode has started go to Start|Settings|Control Panel|Administrative Tools and double-click Services. Among the Services you will see one called Wink*, where * represents random characters. Use the Stop button to shut down this Wink* service. Close all windows.
  Go to Start|Run and type 'Cmd'.

Insert the write-protected disk with SAV32CLI on it. At the command prompt type
E:
where E: is the drive in which you placed the disk.

• If you are using the Sophos Anti-Virus CD, type:
  CD WIN32\I386\SAV32CLI
• If you are using a SAV32CLI disk, type:
  CD SAV32CLI

Then type:

SAV32CLI -DI -P=C:\ELKLOGC.TXT

to disinfect all fixed drives.

SAV32CLI scans your computer. Infected files are cleaned and a report is made. Corrupt files and worm files cannot be cleaned. They must be deleted.

SAV32CLI -REMOVE -P=C:\KLEZLOGC.TXT

The log file KLEZLOGC.TXT can be used to identify useful files.

Note: only remove W32/Klez or W32/ElKern files. Treat files infected by other viruses separately.

When disinfection has finished run a second scan to check that the viruses have gone. If they have not gone, or you encounter any problems, contact Sophos technical support.

Restart Windows and go to the Recovery section below.

Recovery

1. System Restore
   You should purge System Restore in Windows Me and Windows XP.
2. Reinstall Sophos Anti-Virus and scan the computer in Windows
   Reinstall Sophos Anti-Virus as directed in the relevant installation guide, then run a scan to check directories whose names cannot be recognised under DOS (e.g. they contain illegal characters like "!" and "?"). Start Sophos Anti-Virus. Right-click your hard drive and select All files from pop-up menu. Ensure 'Subfolders' is selected. Run a scan. When you have finished right-click the drive again and select Executables.
3. Repairing the registry
   You may need to delete registry entires that point to infected files and services. Please read the warning about editing the registry. The infected file will be listed in KLEZLOGC.TXT (check in SOPHTEMP, Sophos SWEEP, and the root of the C: drive). Double-click KLEZLOGC.TXT to open it in Notepad and search for the word 'virus' to find the names of the infected files. Leave it open for searching while you edit the registry.
   At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
   Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
   Locate the HKEY_LOCAL_MACHINE entry:
   
   HKLM\Software\Microsoft\Windows
   \CurrentVersion\Run\"infected file"
   
   where "infected file" is one of the infected files in the log. Delete this entry.
   You may also need to remove the Wink* service entry. Locate
   
   HKLM\System\CurrentControlSet\Services\Wink*
   
   where "*" represents random characters. Delete this entry.
   Close the registry editor.
4. Replacing disinfected files
   Infected files are not always restored to their original state. This damage cannot be reversed automatically without a copy of the original file. You should subsequently replace all files that have been infected with copies from backups, new media or a clean computer. Use KLEZLOGC.TXT to identify these files.
5. Using the Microsoft patch
   W32/Klez-H exploits a MIME vulnerability in some versions of Microsoft Outlook, Microsoft Outlook Express, and Internet Explorer which allows a file to run automatically without the user double-clicking on the attachment.
   Download the patch which Microsoft has issued to secure against this vulnerability.
6. Finding renamed files
   W32/Klez-H renames and hides copies of some overwritten files in the original directory. The file name is retained, but the extension is random and atributes are changed. If not available from backups, these files may be renamed.

Other platforms

If you find any infected files on platforms other than Windows 95/98/Me and Windows NT/2000/XP, disinfect W32/ElKern-C using the instructions for Disinfecting PE executables and remove W32/Klez variants using the instructions for Removing infected executable files.