Win32.Klez.D@mm

( TROJ_KLEZ, I-Worm.Klez )

SYMPTOMS:

- File WinSvc.exe in System directory (with hidden attributes)
- Usually file wqk.exe in system directory (with hidden attributes)

TECHNICAL DESCRIPTION:

This is a variant of Win32.Klez.A@mm virus which spreads through e-mail (using the same format as its predecessors).

The spreading routine is slightly modified and it contains a bigger list of fake e-mail addresses. Also the author added a routine which attempts to clean from memory the viruses: Win32.Nimda, I-Worm.SirCam, CodeRed and CodeBlue.

It carries (like the other variants) the virus Win32.Elkern.A which is a file infector.

Removal instructions:

The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus.

Important: You will have to close all applications before running the
tool (including the antivirus shields) and to restart the computer afterwards.
Additionally you'll have to manually delete the infected files located in archives
and the infected messages from your mail client.

The BitDefender AntiKlez tool does the following:

it detects all the known Klez versions (A, B, C, D, E, G, H);

it deletes the files infected with Win32.Klez;

it disinfects the files detected as Elkern (A, B, C);

it kills the process from memory;

it repairs the Windows registry.

You may also need to restore the affected files.

ANALYZED BY:

Costin Ionescu BitDefender Virus Researcher