The Klez-E worm will overwrite files with DOC, XLS, TXT, HTM, HTML, WAB, JPG, MPG, MPEG, MP3, BACK, C and PAS extensions on the 6th of January, March, May, September and November each year. Klez-F is the same, except less destructive than the Klez-E.
- Boot up your computer with a clean DOS diskette from drive A. This is not an option as the active file is a hidden and read only file and Windows will not allow this file to be deleted
- Run Vbuster.Exe and get it to delete all occurances of the Worm
- Note the name of the Worm in Windows\System Subdirectory or Windows\System32 Subdirectory in Windows NT, 2000 and XP. You can see this in Vbuster.Log which will be created by Vbuster.Exe in the Root directory of your hard disk
- Start Windows and run Regedit.Exe
- Do a Search and look for HKLM\Software\Windows\CurrentVersion\Run\Filexxx where Filexxx is the name of the infected file in the Windows\System or Windows\System32 Subdirectory
- Delete the line after it is found