K L E Z T O O L --------------- The Kleztool is the utility created by Kaspersky Labs to eliminate several variants of Klez virus-worm infection and to disinfect files infected by Klez. The utility should be used together with F-Secure Anti-Virus as this tool doesn't disinfect Elkern.A and Elkern.B virus variants, that Klez.E and Klez.F worms drop. However the utility is able to disinfect files infected with Elkern.C virus that Klez.H worm drops. Disinfection procedure should be as follows: 1. Get F-Secure Anti-Virus (FSAV further on) and the latest updates for it. You can download a trial version and the latest updates from our website: http://www.europe.f-secure.com/download-purchase/ http://www.europe.f-secure.com/download-purchase/updates.shtml 2. Unpack the Kleztool utility from the provided ZIP archive. A trial version of WinZip archiver can be downloaded from here: http://www.winzip.com/ddchomea.htm 3. Run KLEZTOOL.COM file from a hard disk to eliminate Klez.E, Klez.F or Klez.H worm infection. You can run the utility by either doubleclicking on it from Windows Explorer or you can start it from a command interpreter (COMMAND.COM or CMD.EXE) by typing its name at command prompt and pressing 'Enter'. 4. Install or reinstall FSAV (if you have a local Klez infection, the worm disables an existing FSAV installation), apply the latest updates (if you use FsUpdate.exe, please wait for the updates to be acquired by FSAV - it usually it takes 2 minutes) and scan all hard drives with FSAV to clean Elkern virus infection. 5. Reboot a system. 6. Scan all hard drives with FSAV again to make sure that no infected files are left. IMPORTANT NOTES --------------- If Klez infection is in a network environment, then the network should be taken down before all workstations and servers are disinfected. A single infected workstation can re-infect already cleaned computers within minutes. If a computer is infected over a network, it might not yet have Klez worm dropper and infection in memory. In this case the Kleztool will not start to scan all your hard disks when you run it. To make the tool scan all available hard disks you have to run it with '/scanfiles' command line option. To to this, start command interpreter (COMMAND.COM or CMD.EXE depending on your operating system) go to the directory where the Kleztool is and type at command prompt: kleztool /scanfiles Press 'Enter' to run the tool. Please make sure that if you have FSAV installed on an infected system, you have to disable its on-access scanner in order to allow the tool to remove Klez infections. After the tool completes scanning, turn on-access scanner back on and scan all your hard disks for Elkern infection as suggested above. If you have Windows ME or XP, we recommend to disable System Restore feature of these operating systems to prevent your computer from re-infection with Klez worm. The fact is that System Restore feature of these operating systems might save the infected file into the special folder and to restore it every time it's been deleted by Kleztool. The instructions on how to disable System Restore feature are here: Windows ME: http://www.europe.f-secure.com/v-descs/sfc_dis.shtml Windows XP: http://www.europe.f-secure.com/v-descs/sfc_dis1.shtml If you have any problems using this utility please contact us on 'samples@f-secure.com' address.