Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
We have produced a video showing step-by-step how to get rid of the Klez worm: http://www.f-secure.com/virus-info/video/klez.ram
Note: The video requires RealPlayer to view. You may download RealPlayer from: http://www.real.com/player/index.html?lang=en
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note You need administrative rights to change the settings.
On some systems the worm is able to self-launch itself when an infected email is viewed (for example, with Outlook and IE 5.0 or 5.01). To do this the worm uses a known vulnerability in IE that allows execution of an email attachment. This vulnerability is fixed and a patch for it is available on Microsoft site: http://www.microsoft.com/windows/ie/downloads/critical/q323759ie/default.asp
This worm/virus combo apparently originated from Asia, possibly China or Hong Kong. First infections were located early on the morning of 26th of October, 2001.
The emails sent by Klez can have a wide variety of different subject fields such as:
The message has no text in body and the attachment name is random.
The worm part contains a hidden message targeted towards anti-virus researchers. Most email clients will not show this message. It looks like this:
The Klez worm copies itself to root directories of local and network drives with a random name and with double extension, such as .TXT.EXE.
Klez.D appeared in the wild on 11th of November, 2001. This variant has a few changes compared to the previous versions. First of all it looks for email addresses in the user's ICQ database files also. This means that anyone in the user's ICQ contact list is a potential recipient of the worm.
Another change in the email part is that the attachments can now have .EXE and .PIF extension also. It was only .EXE with the previous versions. When the worm is copied to the Windows system directory it's nownamed as 'WinSvc.exe'. The same name is used in the registry run key:
This version of the worm will try to locate and terminate processes that contain the words like 'Nimda', 'CodeRed', 'Code Red', 'CodeBlue', 'Code Blue'.
It also has a string inside that is never displayed:
F-Secure Anti-Virus detects and stops both Klez and Elkern. Detection was added with the update shipped on 26th of October around 15 o'clock GMT. The update with detection for D variant was published on 12th of November 09:00GMT.
Klez.E is a new variant of Klez worm that was first discovered on 17th of January 2002. The worm is "version 2.0" according to its author's classification and has several new features comparing to the older variants. The worm still has bugs that remained from previous versions.
The differences from the original version are as follows: