Klez variant strikes unprotected PCs
Published: 25 Apr 2002 08:56 BST
More than a week after it first started spreading, the latest variant of the Klez worm continues to infect PC users that haven't taken steps to protect themselves.
While the number of computers infected by the Klez.H variant falls short of such epidemics as the LoveLetter worm, the virus has still shown surprising resiliency, said Steve Trilling, director of antivirus software maker Symantec's security response team.
"It is still going very strong," he said. "We got half the submissions from the last 10 days in the last two days... It is definitely not dropping off."
The Klez variant has generated nearly 20,000 incident reports from Symantec customers in a little over a week, Trilling said. Included in that number are 250 corporations that have multiple infections.
In total, Klez reports make up 75 percent of all reports that the company receives, easily putting it at the top spot for threats.
The ability of even a ho-hum virus to spread effectively across the Internet may speak volumes about the ill-preparedness of home users and many corporations to deal with even old security threats.
Computer users who have antivirus software and have updated the software's virus definitions -- information used to recognise viruses -- are immune to the latest Klez variant. Trilling wouldn't say whether users' failure to update their software after Klez's first emergence was responsible for the increase in Klez infections, but he did say it's a leading reason for the continued spread of older viruses.
The Klez worm doesn't contain any new tricks that could account for its success, said David Perry, director of education for antivirus software maker Trend Micro.
"It's pretty surprising actually," he said. "It is just a minor variant of Klez...There is nothing very special about the technologies included in it."
Trend Micro's Worldwide Virus Tracking Center, a Web service that reports incidents of a virus infection aggregated from calls to Trend Micro's customer support and any instances found by its online virus scanner, says the Klez.H worm -- which Trend Micro calls Klez.G -- is currently its second most reported virus. An outbreak in Italy of the JS.Exception Javascript virus tops the list.
"We are a little puzzled that it is still showing up," he said. "I would say that someone is vigorously seeding this virus." However, Perry added that, while the way that Klez is infecting computers seems to indicate that the worm is being "seeded" or spread by design, he had no evidence that this was indeed the case.
The variant of the Klez worm, which started spreading early last week, arrives as an attachment to an email message. While the virus doesn't harm data on a computer it infects, it can send out a random file from the PC as an attachment along with the email that carries the worm, potentially leaking confidential information from an infected computer.
The worm randomly chooses a subject line from more than 100 possibilities, uses many different file names when attaching itself to a message and mails the messages off to email addresses that it culls from files on the infected machine. In addition, Klez is able to "spoof," or replace, the sender's email address with an address found on the infected PC.
Alex Shipp, antivirus technologist for UK-based email service provider MessageLabs, pointed to these abilities of the virus as key reasons for its virulence.
"When people hear there is a virus out there, they look for a specific subject line and message," he said. The different subject lines and file names prevent victims from recognising that a message contains the virus, Shipp said, pointing to the LoveLetter virus, which spread in May 2000, as one that could be easily recognised.
The spoofing function also makes it harder for people who receive an infected email to contact the sender to let them known they are infected, he said.
"Normally, you'd tell the people (who sent the virus) to stop, but the people in the sender's box aren't the one's sending it," Shipp said. "You may get an email from Aunt Mabis, but it's not Aunt Mabis that is infected."
Still, the Klez outbreak fails to be an epidemic of the magnitude of LoveLetter, Shipp added.
"We are seeing viruses at a rate of about 1 per 200 emails," he said. "When the Love Bug hit that was 1 in 28 emails." For its time, LoveBug, also known as LoveLetter, was more technologically advanced than Klez.
For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Viruses and Hacking News Section.
Have your say instantly, and see what others have said. Go to the Security forum.
Let the editors know what you think in the Mailroom.
Did you find this article useful?
10 out of 58 people found this useful
- Share this article:
