W32.Klez.H@mm

Aliases: Email-Worm.Win32.Klez.h[Kaspersky], W32/Klez.h@MM[McAfee ], WORM_KLEZ.H[Trend], Win32/Klez.J[Eset]

Type: Worm

Systems Affected: Windows 95, Windows 98, Windows Me, Windows XP, Windows NT, Windows 2000, Windows Server 2003

Overview: W32.Klez.H@mm has a number of similarities to W32.Klez.E@mm, it spreads by email and network shares, and can also infect files.

Symptoms of W32.Klez.H@mm:

1. Once launched, the worm would copy itself to the following locations:
%SYSDIR%\wink%three-digit random character string%.exe
%TEMPDIR%\%random character string%%hex number%.exe

2. Automatic deletes the following files:
ANTI-VIR.DAT
CHKLIST.DAT
CHKLIST.MS
CHKLIST.CPS
CHKLIST.TAV
IVB.NTZ
SMARTCHK.MS
SMARTCHK.CPS
AVGQT.DAT
AGUARD.DAT
Shlwapi.dll
Kernel32.dll
netapi32.dll
sfc.dll

3. The worm may interfere with the running of the antivirus software.

Related worms:Winur, Klez Worm, Feebs.b, Funny Trojan

Remove W32.Klez.H@mm:

1. Click "Start" button -> "run", type "regedit",and then click "OK" button.
2. Find the following key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
3. In the left pane, under the /services key,find the following subkey:
\Wink[random characters]
4. Delete the Wink[random characters] subkey.
5. Find the following key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
6. In the right pane, find the following values and then delete it.
Wink[random characters] %System%\Wink[random characters].exe
WQK %System%\Wqk.exe
7. Restart your computer.

You can also use antivirus software with latest updates to remove the worm quickly:

Norton Internet Security 2009