Online business Toolkit

Klez worms its way to the top of the virus charts

Tags:
Spreading Rapidly,
Unpredictable Subject Lines,
Viruses,
Klez Variant

David Becker CNet

Published: 30 Apr 2002 08:35 BST

The latest fast-spreading versions of the Klez worm have so far infected more than 7 percent of PCs worldwide, surpassing totals chalked up by previous threats such as SirCam and Nimda, according to a new survey by an antivirus company.

Panda Software scanned more than 2,000 PCs around the world and found that 7.2 percent had the H or I versions of the Klez worm, said Patrick Hinojosa, chief technical officer for the company.

Considering that the H and I versions of Klez have been in the wild for only a few weeks, that's an alarmingly fast spread, said Hinojosa.

"I was pretty surprised at the percentage," he said. "This thing started slowly, but it's proliferating at a tremendous rate now."

The Klez.H worm began spreading about two weeks ago and quickly became the top pest on the Internet. As of midday on Monday, email screening company MessageLabs had intercepted 16,700 copies of Klez.H in the past 24 hours, making it by far the busiest bug.

The Klez.I worm is a slight variation on Klez.H that also infects PCs with the Elkern.d virus, which antivirus company Trend Micro ranked as the most active virus on Monday.

While neither of the Klez worms is particularly destructive, they pose a security threat by sharing files plucked from infected PCs as they spread.

Steve Trilling, director of antivirus software maker Symantec's security response team, said the Klez worm's use of its own email engine and its unpredictable variation of email subject lines helped the virus spread.

"Whenever we see these threats, it's always a combination of technical and human factors that they feed on," Trilling said. "The human factor is: does it start inside a company that doesn't have good antivirus protection in place, so it can grab a number of email addresses at the start?"

Hinojosa said Klez.h has also been effective in spreading confusion because it "spoofs" email addresses as it propagates, making it look like an infected message came from a familiar address -- one randomly grabbed from an Outlook address book. An infected message can look like it came from a legitimate source, and replies can accuse unaffected PCs of being infected.

"Just watching our traffic here, I've seen several messages supposedly from our tech support that were generated by Klez," Hinojosa said. "I think that contributed to people opening a lot of emails that they wouldn't otherwise open, because it looks like it's from somebody legitimate."

Recommendations include running updated antivirus software, making sure the proper security patches are installed for Microsoft Outlook and running a standalone virus checker, such as Symantec's downloadable Klez removal tool.

For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Viruses and Hacking News Section.

Have your say instantly, and see what others have said. Go to the Security forum.

Let the editors know what you think in the Mailroom.