*************************************************************************** Utility for cleaning infection by: I-Worm.BleBla.b I-Worm.Navidad I-Worm.Sircam I-Worm.Goner I-Worm.Klez.a I-Worm.Klez.e(f,h) Version 3.0.1 Copyright (C) Kaspersky Lab 2000-2002. All rights reserved. *************************************************************************** Command line: /scanfiles - to force scaning of hard drives. Program will scan hard drive for I-Worm.Klez.a(e,f,h) infection in any case. /netscan - include scaning of mapped network drives. /y - end program without pressing any key. /i - show command line info. Return codes: 0 - nothing to clean 1 - virus was deleted and system restored 2 - to finilize removal of virus you shold reboot system 3 - to finilize removal of virus you shold reboot system and start program the second time 4 - programm error. *************************************************************************** I-Worm.BleBla.b --------------- If program find HKEY_CLASSES_ROOT\rnjfile key in registry it: delete registry keys HKEY_CLASSES_ROOT\rnjfile HKEY_CLASSES_ROOT\.lha repair registry key to default value HKEY_CLASSES_ROOT\.jpg to jpegfile HKEY_CLASSES_ROOT\.jpeg to jpegfile HKEY_CLASSES_ROOT\.jpe to jpegfile HKEY_CLASSES_ROOT\.bmp to Paint.Picture HKEY_CLASSES_ROOT\.gif to giffile HKEY_CLASSES_ROOT\.avi to avifile HKEY_CLASSES_ROOT\.mpg to mpegfile HKEY_CLASSES_ROOT\.mpeg to mpegfile HKEY_CLASSES_ROOT\.mp2 to mpegfile HKEY_CLASSES_ROOT\.wmf to empty HKEY_CLASSES_ROOT\.wma to wmafile HKEY_CLASSES_ROOT\.wmv to wmvfile HKEY_CLASSES_ROOT\.mp3 to mp3file HKEY_CLASSES_ROOT\.vqf to empty HKEY_CLASSES_ROOT\.doc to word.document.8 or wordpad.document.1 HKEY_CLASSES_ROOT\.xls to excel.sheet.8 HKEY_CLASSES_ROOT\.zip to winzip HKEY_CLASSES_ROOT\.rar to winrar HKEY_CLASSES_ROOT\.arj to archivefile or winzip HKEY_CLASSES_ROOT\.reg to regfile HKEY_CLASSES_ROOT\.exe to exefile try to delete file c:\\windows\\sysrnj.exe I-Worm.Navidad -------------- If program find HKEY_CURRENT_USER\Software\Navidad, HKEY_CURRENT_USER\Software\xxxxmas or HKEY_CURRENT_USER\Software\Emanuel key in registry it: delete registry keys HKEY_CURRENT_USER\Software\Navidad HKEY_CURRENT_USER\Software\xxxxmas HKEY_CURRENT_USER\Software\Emanuel SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run Win32BaseServiceMOD repair registry key to default value HKEY_CLASSES_ROOT\exefile\shell\open\command to "%1" %* try to delete file winsvrc.vxd winfile.vxd wintask.exe I-Worm.Sircam ------------- If program find HKEY_LOCAL_MACHINE\Software\SirCam key in registry, "@win \recycled\sirc32.exe" in autoexec.bat or \windows\run32.exe and \windows\rundll32.exe was created on Delphi it: delete registry keys HKEY_LOCAL_MACHINE\Software\SirCam Software\\Microsoft\\Windows\\CurrentVersion\\RunServices Driver32 repair registry key to default value HKEY_CLASSES_ROOT\exefile\shell\open\command to "%1" %* try to delete file %Windows drive%:\RECYCLED\SirC32.exe %Windows directory%\ScMx32.exe %Windows system directory%\SCam32.exe %Windows startup directory%\"Microsoft Internet Office.exe" %Windows drive%:\windows\rundll32.exe try to rename files %Windows drive%:\windows\Run32.exe to %Windows drive%:\windows\RunDll32.exe try to repair files autoexec.bat In case program can not delete or rename any files (it may be used at that moment) it set these files to queue to delete or rename during bootup process and offer user to reboot system. I-Worm.Goner ------------ If gone.scr process exist in memory, program will try to stop it. if file %Windows system directory%\gone.scr exist on hard drive, program will try to delete it. If program find %Windows system directory%\gone.scr key in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run of system registry, it will delete this key. I-Worm.Klez.a, I-Worm.Klez.e, I-Worm.Klez.f, I-Worm.Klez.h ---------------------------------------------------------- If program find next processes in memory: Krn132.exe WQK.exe or any processes, infected by I-Worm.Klez.e, I-Worm.Klez.f, I-Worm.Klez.h and I-Worm.Klez.a virus, it will stop them and delete their files from hard drive and links to their files from system registry. If program find that WQK.DLL library has been loaded by any processes it will rename file of this library and will remove it after system reboot. In case program find such library in memory of your PC you should reboot your PC when program finish and start it the second time after reboot to clean your system registry. If program find any infected processes in memory it will start scan of your hard drive (and all mapped network drives if you specify /netscan in command line). It will check only I-Worm.Klez.e, I-Worm.Klez.f, I-Worm.Klez.h and I-Worm.Klez.a infection. If you specify /scanfiles key in command line program will scan your hard drive (and all mapped network drives if you specify /netscan) in all cases.