This morning, some computer users may have found scores of files on their hard drive overwritten by the Klez-E worm.
Discovered in mid-January, Klez-E carries a destructive payload that overwrites various files including those with the .bak, .c, .cpp, .doc, .htm, .html, .jpg, .mp3, .mpeg, .mpg, .pas, .txt, .wab and .xls extensions. Its payload is set to activate today, as it does on the sixth day of odd-numbered months March, May, September and November. In January and July, the worm's payload overwrites all files on all drives.
The worm also will attempt to spread itself today by exploiting a MIME vulnerability in Outlook, Outlook Express or Internet Explorer. The flaw automatically launches executables when the infected e-mail is previewed or opened. In other words, a user does not have to double click on the attachment to infect the system.
Users can minimize the risks associated with the worm by practicing solid security procedures, said Tony Magallanez, a systems engineer with antivirus company, F-Secure. Filtering attachments and scanning e-mail will help. Updating virus definitions is a must, as is installing the latest Microsoft patches for the MIME hole, Magallanez said.
The worm can arrive with various subject lines including:
- How are you?
- Can you help me?
- We want peace
- Where will you go?
- Don't cry
- Look at the pretty
- Some advice on your shortcoming
- Free XXX Pictures
- A free hot porn site
- Why don't you reply to me?
- How about have dinner with me together?
- Never kiss a stranger
Beside using the Windows address book for names to spread, Klez-E also looks for e-mail addresses in users' database files for the ICQ instant messenger product.
The Klez-E worm is just the latest variant in a line of Klez worms going as far back as 2000. The original was a fairly straightforward e-mail worm that spread from person to person. Klez-E, by contrast, is network aware and can spread itself throughout a network from an infected machine.
"This can become an issue within corporations," said Steven Sundermeier, product manager with the Medina, Ohio-based Central Command. "Sally on PC No. 1 in a corporation may not practice safe computing. She could get the worm and pass it to John on PC No. 106 who is practicing safe computing."
Beside destroying certain data, Klez-E also targets security applications such as antivirus software and personal firewalls. "This could open the door to being affected by other viruses," Magallanez said.
Oddly enough, the worm also targets other malicious code such as Sircam, Nimda and Code Red.
The writer of Klez-E is probably not trying to squeeze out competition as much as show off to antivirus companies, Magallanez said. They believe the writer of Klez-E is from Asia and is behind other Klez family worms. Hidden messages within the worm seem to indicate the writer would like a job in the antivirus industry.
"I want a good job, I must support my parents. Now you have seen my technical capabilities," the writer says. "Don't call (me) names, I have no hostility. Can you help me?"