Student Facilities How-to's & FAQ's News Security Central Account Services

New Students Graduating Students Faculty

©2004 New York University
Leonard N. Stern
School of Business

Klez Worm FAQ

Security Central

Protect your computer: The most common virus intercepted on the NYU mail servers is Klez.

What does the Klez worm do?
The Klez worm can forge the "From: " line of the messages it automatically sends, using an e-mail address found on the intended victim's system, so it may appear to have been sent from someone you know. Many viruses and worms that are out today harvest addresses from multiple locations. E-mail address books and websites are two of the most frequent sources. The worm has over 100 randomly selected subject lines, and uses several different file attachment names when attaching itself.

Mail is sent from an infected machine automatically, so you will not know it's going out, nor will copies of the infected messages be saved anywhere on your machine. Klez also masquerades as a "Klez.E immunity tool" with the subject line "Worm Klez.E Immunity". The worm attempts to disable common anti-virus scanning programs such as McAfee and Norton. Klez may also infect the victim machine with the Elkern virus which causes most systems to crash and destroys critical operating system files.

Why did I get a virus-alert message?
In order to combat the rising number of virus-infected messages coming in to NYU, ITS has instituted virus scanning at its main mail gateways. When the scanner finds a virus in a message sent to or from you it will remove it. Since the message was not delivered in its entirety, the scanner sends a note to both the sender and recipient of the message.

If you are listed as the recipient, there is nothing you need to do to follow up on this except for normal safe computing practices. Insure that your antivirus software has the most up to date configuration and that you have run a full virus scan over all your disks since you last downloaded the most recent configurations files.

If you are listed as the sender of the message, you should follow the instructions below to make sure that you get rid of the worm.

I didn't open the attachment that was with the message. Does that mean that my computer is not infected?
It depends. If you do not have the feature enabled that allows you to view .html images in your e-mail, you might be safe. Most of the time you actually have to open the attachment in order to activate the virus. You should run your anti-virus software anyway, just to be sure.

What should I do if I think I have the Klez worm?

Did you receive a message similar to this one?

The mail message (file: install.exe) you sent to contains a virus. (on mx3.nyu.edu). For additional information, go to: http://www.nyu.edu/its/security/virus-faq.nyu.

If so, you must scan your computer immediately using up to date anti-virus software.

---

Students, faculty and staff at NYU are all entitled to free copies of Norton AntiVirus.
The software is included on the NYU-NET CD—available at any of the ITS computer labs
and the Client Services Center (10 Astor Place, 4th floor) —and online at www.nyu.edu/its/software.

---

To clear your machine of the virus, follow the steps listed below:

1) Install Norton AntiVirus (NAV) and update it with the most recent virus definitions.
2) Start NAV, and make sure that NAV is configured to scan all files.
3) Run a full system scan.
4) If any files are detected as infected, click Repair.
5) If any files are detected as infected and cannot be cleaned, click Delete.* (Note: These files cannot be retrieved once deleted.)
6) Reboot the computer.
7) Repeat steps 2-6 above until no more files are detected as being infected.
*If NAV tells you that there is a file that is infected but cannot be cleaned you should choose to delete the file. Hopefully, you will have remembered to periodically back up all of your important information and will therefore have a clean copy of the file from before the virus struck.

If you get an error message stating that some of Norton's files are damaged or missing, your software may have already been damaged by the worm. There is a specific cleanup tool for Klez available at:  http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.h@mm.html

You may still receive a message bounce or error message saying that you have sent an infected message even if your machine is clean. This can occur because the "From: " line of an infected message may be forged. If you scan your machine and get no errors, and no viruses are found, send a complete copy of the error message that you received, including the date and time that the message was sent to security@nyu.edu. Include in your note that you have already scanned your machine.

Symantec also offers a tool to remove infections of all known variants of W32.Klez@mm and all known variants of W32.Elkern. For more information about the W32.Klez Removal Tool, please visit: http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.removal.tool.html

Even if you have installed anti-virus software, you are still vulnerable if your virus definitions are not up to date. NYU account holders are strongly encouraged to update their anti-virus definitions. New viruses are released daily, so it's very important for you to keep your definitions current. Most anti-virus software has the ability to automatically download the definitions while still allowing you to also perform manual downloads if you want to, so there really is no excuse for not keeping your virus definitions up to date.

For general questions about viruses, please visit: http://www.nyu.edu/its/security/virus-faq.nyu.