fond the source of Klez - Douglas Associates

Customer Support

Language

Home

Knowledge Base

CampaignMax

fond the source of Klez

Information

Article ID	34
Created On	5/20/2003
Modified	9/11/2008

Actions

Print this Page

Add to Favorites

Share With Others

	del.icio.us
	Digg
	FaceBook
	Reddit

fond the source of Klez

Document ID:2002050312432854
Last Modified:10/01/2002

How to determine the source of a W32.Klez virus infection

Situation:
You have removed the W32.Klez virus or you want to determine the source of the infection on your network.

Solution:
The attached klez tracking tool.zip was created to track the source of the FunLove virus. However, it can be modified to track the source of a Klez infection by using the following steps:

1. Detach the klez tracking tool.zip file to a folder on the computer and unzip it. You should have the following files after extracting:
FLTrack9x.exe
FLTrack.exe
Fltrack.reg
ReadMe.txt

2. Double-click the Fltrack.reg file. This will insert the following entries into the registry:

[HKEY_LOCAL_MACHINE\Software\Symantec\FLTrack]
'DebugConsole'=dword:00000000
'Logging'=dword:00000001
'DeleteSessions'=dword:00000001
'CloseFiles'=dword:00000000
'DeleteShares'=dword:00000000
'ShowMessageBox'=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Symantec\FLTrack\Triggers]
'W32.Klez.A@mm'=dword:00000000
'W32.Klez.E@mm'=dword:00000000
'W32.Klez.E@mm.enc'=dword:00000000
'W32.Klez.E@mm.enc(1)'=dword:00000000
'W32.Klez.gen@mm'=dword:00000000
'W32.Klez.H@mm.enc'=dword:00000000
'W32.Klez.H@mm.enc(1)'=dword:00000000

3. Double-click the appropriate file for your operating system, to begin logging.

For Windows 9x/Me:
FLTrack9x.exe

For Windows NT/2000/XP:
Fltrack.exe

NOTE: The log file is created in the folder from which Fltrack.exe is run. If the system that is getting the Klez infections is a NAVCE server, then run Fltrack.exe from the NAV folder so that the logs can be accessed through the VPhome share.

CAUTION: Symantec provides this utility as a convenience for customers.This utility is not supported by Technical Support, and Technical Support will not troubleshoot any problems that may arise with its use. Customers making use of this utility do so at their own risk and assume full responsibility for the consequences.

For more information on the W32.Klez.X viruses, search for Klez on the Symantec Security Response web site located at:
http://securityresponse.symantec.com/avcenter/vinfodb.html

Product(s): General
Date Created: 05/03/2002