Klez virus passes confidential info
Published: 22 Apr 2002 10:16 BST
The latest variant of the Klez worm sometimes chooses to hitch a ride on sensitive documents, resulting in victims' confidential information spreading with the malicious program, Russian antivirus firm Kaspersky Labs said on Friday.
Known as Klez.G, Klez.H and Klez.K, depending on the security advisory, the newest incarnation has spread worldwide, sending itself in email messages with infected documents attached.
Occasionally the documents contain sensitive material, said an advisory from Kaspersky Labs.
"Klez.H poses a special threat: the worm scans the disks of an infected computer and, depending on a set of conditions, attaches a file to each infected email it distributes," stated the advisory.
Text, HTML (Hypertext Markup Language), Adobe Acrobat and Excel files are included in the types of documents that the virus can forward, but other files that the worm could attach -- such as JPEG and MPEG files -- are less likely to contain important information.
Representatives of Kaspersky Labs were not available for comment.
This is not the first time a virus has leaked information, however. The SirCam worm, which is still spreading among computers on the Internet, also attached itself to documents and forwarded on the infected files to potential victims.
Security-software maker Symantec upgraded on Wednesday the latest variant, which it labelled W32.Klez.H, to a threat level of three from a previous rating of two. The company categorises threats on a scale of one, the lowest threat, to five.
However, Vincent Weafer, senior director of Symantec's Security Response team, on Friday said they haven't been able to reproduce the information-leaking function of the worm that Kaspersky Labs is claiming.
"It is nothing that we have seen in our lab," he said. "It definitely data mines files for email addresses, but we haven't seen it attach files. We will keep doing some additional testing in this area."
Email security firm MessageLabs said the Klez.H worm had proliferated "dramatically" during the day on Friday.
MessageLabs, based in the United Kingdom, first detected the new variant on Monday from an Internet address in China. Most antivirus vendors, such as Symantec, McAfee and Sophos, have offered Klez.H patches since Wednesday.
MessageLabs said it stopped two copies of Klez variants on Monday. Since Wednesday afternoon the number of copies rose sharply, gathering pace on Friday. The firm said it stopped several thousand copies on Friday, for a total of more than 46,000 copies by Friday afternoon -- or nearly one in every 77 emails. The United Kingdom topped its list with more than 5,000 copies stopped, followed by Hong Kong and the United States.
The worm arrives in an email message with one of 120 possible subject lines.
In many circumstances, the worm doesn't need the victim to open it in order to run. Instead, it takes advantage of a 12-month-old vulnerability in Microsoft Outlook, known as the Automatic Execution of Embedded MIME Type bug, to open itself automatically on un-patched versions of Outlook.
The program will also cull email addresses by searching a host of different file types on the infected PC. Using its own mail program, the worm will send itself off to those email addresses. In addition, it will use the addresses to create a fake "From:" field in the email message, disguising the actual source of the email.
The worm also attempts to disable antivirus software by deleting registry keys, stopping running processes and removing virus-definition files.
Finally, the worm drops a second virus on the computer and spreads to other disk drives connected to the PC over an internal network.
Matthew Broersma contributed to this report.
Have your say instantly, and see what others have said. Go to the Security forum.
Let the editors know what you think in the Mailroom.
Did you find this article useful?
39 out of 68 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
