W32/Klez.h@MM worm virus
The following is a copy of an e-mail I sent to my more recent e-mail
contacts regarding the W32/Klez.h@MM worm virus.
This is to inform you that my computer was infected with the W32/Klez.h@MM
worm virus in August 2002, and to explain what you need to do (A) if your
computer is infected and (B) if your computer is the source of the infection.
It was passed on to me by some of your e-mailing program(s) as an attachment
in a .bat file e.g. RW.BAT, ALIGN.BAT etc. which opens automatically
once you click on the e-mail. Your e-mailing program sends it to people
in your address book without your knowledge. My apologies if your
computer is innocent and clean
HOW DO I KNOW IF MY COMPUTER IS INFECTED?
If your anti-virus program did not find it you may be clean or it may be
faulty. If you have a file starting with "Wink" e.g.
Winkxw.exe or Winkrr.exe in your Windows/System folder you have the virus.
If not you may be clean or the worm may not have raised its ugly head yet.
For more details see the website below.
WHAT HAPPENED? WHAT DID THE WORM DO?
I lost 4 days work as a result of it so beware; if you have it to treat it as
soon as possible, definitely before you use e-mail again. It made my
screen blink every second, slowed down my computer to a crawl with frequent
crashes making it unusable. It infected my cdwriter.exe file so I could
not back everything up, my acroread.exe, chessprogram.exe, brittanica.exe and
various *.exe files with funny names in my windows/system and windows/temp
folders. On bootup I got messages that various files were missing. When
I tried to update my McAfee anti-virus stuff I could not connect to the
internet, then a new copy would not install properly, even in safe mode.
Eventually on reinstalling windows 98 I replaced the missing files, didn't
lose all my work and got the new McAfee to install and my PC is well again.
Thanks to John Prendergast for the advice! On checking my e-mail the new
McAfee found 3 e-mails apparently sent from some of you, out of 10 e-mails
recieved, so it appears to be rampant in our mailing lists.
WHAT IS THE VIRUS, WHAT DOES IT DO AND HOW DO I TREAT IT?
See the website:
http://www3.ca.com/virusinfo/Virus.asp?ID=11779
for the answers to the above questions or you can do what I did as follows.
Update your antivirus software, either from the web or otherwise.
PCcillin and McAfee both pick up the virus. You have to delete the
infected files as the "Clean" option in McAfee does not work.
Replace any infected .exe files from copies you have backed up or reinstall
the damaged programs. The website above explains how to find these files
that were renamed by the virus if you don't have backups. For general
information on viruses see the Virus Encyclopaedia on
http://www3.ca.com/virusinfo/encyclopedia.asp .
PRECAUTIONS TO AVOID GETTING/SENDING EMAIL VIRUSES
Avoid using the "Reply All" button on big mailing lists as this puts
everyone's address into your address book insuring that they too can share any
viruses that you catch that your anti-virus software does not pick up.
Make sure you send most e-mails as Plain Text and not HTML which can carry
worms without even using attachments. (In Outlook Express do this
by clicking Tools > Options > Send > Mail sending format - choose
Plain Text.)
If you send an e-mail personalise them with something in the subject header as
well as the email body maybe including some Irish or foreign language.
Do not send e-mails containing attachments which are .exe or .bat or other
executable files without first scanning them for viruses with up to date
anti-virus software, and stating that you have done so.
Do not open such attachments without similar assurances from the sender.
Remember, practice safe e-mailing. Its not as much fin as safe sex but
its still good for you!
APOLOGY
I'm sorry if my e-mail client sent this worm to you. If it did and you
have problems treating it contact me as below, by phone is best, and I will
help you. I will copy the above instructions to my website for
reference.
Slán,
John Loughran
(Contact details were included here)