Article

New Klez variant can do some damage

Edward Hurley, Assistant News Editor

A new variant of the Klez worm made its way around Asia and Europe this week, but its progress appears to be slowing in North America today.

FOR MORE INFORMATION:

    Requires Free Membership to View

Best Web Links on malicious code

Ask SearchSecurity's virus site expert a question on Klez-I

SearchSecurity viruses Discussion Forum


Feedback on this story? Send your comments to Assistant News Editor Edward Hurley

The worm arrives as an e-mail attachment, and when executed, drops the W32.Elkern.4926 virus. Antivirus companies are calling it either Klez-H or Klez-I.

The worm appeared in Asia and Europe earlier this week, giving antivirus companies an opportunity to update their definitions and get them to customers to keep the worm at bay in North America.

The best defense against worms is keeping antivirus definitions updated, said Patrick Hinojosa, CTO of Panda Software. "The worm is a lot like a bomber trying to attack you. You have to shoot the plane before it has a chance to drop its bomb," he said.

Generally mass-mailing worms cause traffic problems but not a lot of other damage, Hinojosa said. Klez-I, however, has some pesky features. The Elkern virus, for example, overwrites executables.

Also, it uses multiple subject lines when spreading. The name of the attached file is also random. Some subject lines feature names of antivirus companies, making the e-mail appear to be a patch while others appeal to more prurient interests. Here is a sampling:

  • Undeliverable mail--"[Random word]"
  • Returned mail--"[Random word]"
  • a [Random word] [Random word] game
  • a [Random word] [Random word] tool
  • a [Random word] [Random word] website
  • a [Random word] [Random word] patch
  • [Random word] removal tools
  • how are you
  • let's be friends
  • darling
  • so cool a flash, enjoy it
  • your password
  • honey
  • some questions
  • please try again
  • welcome to my hometown
  • the Garden of Eden
  • introduction on ADSL
  • meeting notice
  • questionnaire
  • congratulations
  • sos!
  • japanese girl VS playboy
  • look,my beautiful girl friend
  • eager to see you
  • spice girls' vocal concert
  • japanese lass' sexy pictures

When executed Klez-I, it copies itself to the Systems folder. It also copies itself to local and network drives as a random file name that has a double extension. The Elkern virus is also copied to the Program Files folder.

To spread, the worm looks for e-mail address in the Windows address books and ICQ databases. The worm also searches files that have the following extensions for e-mail addresses: mp8, .exe, .scr, .pif, .bat, .txt, .htm, .html, .wab, .asp, .doc, .rtf, .xls, .jpg, .cpp, .pas, .mpg, .mpeg, .bak, .mp3 and .pdf. The worm mails itself to those addresses via its own SMTP engine and uses a randomly selected From Address from e-mail addresses found on the system.

Additionally, the worm tries to disable antivirus scanners by removing startup registry keys. It also targets worms such as Nimda and Code Red and tries to disable them.

Users of Outlook and Outlook Express should be aware that a flaw in those products could automatically execute the worm if viewed with the Preview Pane. A patch for this problem has been available for a while from Microsoft.

It's hard to say whether Klez-I is from the same author of past versions of the worm, Hinojosa said. Often, virus writers trade source code for their creations. A person only needed to get a hold of the Klez code, tweak it then send it out again, Hinojosa said.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: