A new variant of the Klez worm made its way around Asia and Europe this week, but its progress appears to be slowing in North America today.
The worm arrives as an e-mail attachment, and when executed, drops the W32.Elkern.4926 virus. Antivirus companies are calling it either Klez-H or Klez-I.
The worm appeared in Asia and Europe earlier this week, giving antivirus companies an opportunity to update their definitions and get them to customers to keep the worm at bay in North America.
The best defense against worms is keeping antivirus definitions updated, said Patrick Hinojosa, CTO of Panda Software. "The worm is a lot like a bomber trying to attack you. You have to shoot the plane before it has a chance to drop its bomb," he said.
Generally mass-mailing worms cause traffic problems but not a lot of other damage, Hinojosa said. Klez-I, however, has some pesky features. The Elkern virus, for example, overwrites executables.
Also, it uses multiple subject lines when spreading. The name of the attached file is also random. Some subject lines feature names of antivirus companies, making the e-mail appear to be a patch while others appeal to more prurient interests. Here is a sampling:
- Undeliverable mail--"[Random word]"
- Returned mail--"[Random word]"
- a [Random word] [Random word] game
- a [Random word] [Random word] tool
- a [Random word] [Random word] website
- a [Random word] [Random word] patch
- [Random word] removal tools
- how are you
- let's be friends
- so cool a flash, enjoy it
- your password
- some questions
- please try again
- welcome to my hometown
- the Garden of Eden
- introduction on ADSL
- meeting notice
- japanese girl VS playboy
- look,my beautiful girl friend
- eager to see you
- spice girls' vocal concert
- japanese lass' sexy pictures
When executed Klez-I, it copies itself to the Systems folder. It also copies itself to local and network drives as a random file name that has a double extension. The Elkern virus is also copied to the Program Files folder.
To spread, the worm looks for e-mail address in the Windows address books and ICQ databases. The worm also searches files that have the following extensions for e-mail addresses: mp8, .exe, .scr, .pif, .bat, .txt, .htm, .html, .wab, .asp, .doc, .rtf, .xls, .jpg, .cpp, .pas, .mpg, .mpeg, .bak, .mp3 and .pdf. The worm mails itself to those addresses via its own SMTP engine and uses a randomly selected From Address from e-mail addresses found on the system.
Additionally, the worm tries to disable antivirus scanners by removing startup registry keys. It also targets worms such as Nimda and Code Red and tries to disable them.
Users of Outlook and Outlook Express should be aware that a flaw in those products could automatically execute the worm if viewed with the Preview Pane. A patch for this problem has been available for a while from Microsoft.
It's hard to say whether Klez-I is from the same author of past versions of the worm, Hinojosa said. Often, virus writers trade source code for their creations. A person only needed to get a hold of the Klez code, tweak it then send it out again, Hinojosa said.