Klez not slowing down |
| Posted by Demon | on Tuesday, May 28, 2002 - 10:41 AM EST
|
|
|
"Klez.h appears to be overtaking SirCam as the most virulent computer virus to date. This particular version of the virus surfaced in April, and is also known as Klez.g, Klez.h and Klez.k, depending on the security advisory that's referring to it."
According to antivirus outsourcing firm Messagelabs, which scans e-mails for corporate clients, Klez.h overtook SirCam on Sunday and continues to spread, with the company's servers blocking up to 20,000 copies every working day. To date, Messagelabs has stopped over 800,000 copies of Klez.h.
The remarkable success of Klez.h is largely down to the different methods it uses to spread. "There are a lot of people on the Internet without any virus protection wtatsoever, and they tend to avoid viruses by recognizing subject lines and content," said Alex Shipp, antivirus technologist at Messagelabs. "But with Klez.h this approach does not work."
The problem is that Klez.h arrives in an e-mail message with one of 120 possible subject lines. There are 18 different standard subject headings, including "let's be friends", "meeting notice", "some questions", and "honey". On top of those, seven other patterns exist, such as "a x game" and "a x patch", where x can be one of 16 different words, including "new", "WinXP", and the name of any of six major antivirus companies.
In many circumstances, the worm doesn't need the victim toit in order to run. Instead, it takes advantage of a 12-month-old vulnerability in Microsoft Outlook, known as the Automatic Execution of Embedded MIME Type bug, toitself automatically on unpatched versions of Outlook.
The malicious program will find any network storage available on the infected PC and copy itself to the remote disk drives using a random file name and a .EXE, .PIF, .COM, .BAT, .SCR or .RAR extension. Occasionally, the file name will include a double extension.
The program will also cull e-mail addresses by searching a host of different file types on the infected PC. Using its own mail program, the worm will send itself off to those e-mail addresses. In addition, it will use the addresses to create a fake "From:" field in the e-mail message, disguising the actual source of the e-mail.
Finally, the worm attempts to disable antivirus software by deleting registry keys, stopping running processes and removing virus-definition files.
It is unclear why Klez.h, or all the variants of the original Klez virus, has been so effective. On the same day that Klez.h was released into the wild, said Shipp, another very similar variant called Klez.i was released. "But we only ever saw two copies of Klez.i, and Klez.h meanwhile has gone bananas. Why one has made it and the other not we don't know. It might be that the virus writer seeded the different versions to different email groups, and one was more active so that virus reached a critical mass."
Source
|
| | | |
|
Related links |
|
|
|
