The latest variant of the Klez worm has spread significantly since appearing last week and users are urged to take proactive measures, like installing patches, updating virus definitions and blocking certain files at the gateway, to stay safe.
Klez-G spreads via e-mail and network shares and has the potential to steal data, including sensitive documents, before it mails itself using a built-in SMTP engine. Some antivirus experts credit a year-old exploit in Microsoft Outlook as a reason for its success. Medina, Ohio-based Command Central, meanwhile, said Klez-G's infection rate has increased more than 300% since Thursday.
Another pesky feature of Klez-G has allowed the worm to bloom, said Steven Sundermeier, Command Central's product manager. Like many worms, Klez-G looks for e-mail addresses in users' Windows address books and in ICQ instant messaging databases. But Klez-G also searches documents, text files, Web pages and PDFs for e-mail addresses as well.
For example, the worm can get e-mail addresses from cached Web page files. "Someone may have visited the Command Central Web site five days ago and not clean out their cache. If they looked at the contact page then the worm could get all the e-mail addresses on it," Sundermeier said.
When spreading itself using the culled e-mail addresses, the worm can also include data from the infected system much like SirCam does, Sundermeier said. However, the worm doesn't do this in all cases.
Unlike past worms such as Nimda and Code Red, the infection rates for Klez-G have increased each day. Nimda and Code Red were around the world within hours so the first day for them was the worst, said F-Secure's director of anti-virus research, Mikko Hypponen. As Klez-G has come from Asia, it has been slower moving until it hit Europe and North America.
Yet Hypponen cautions that citing infection statistics about the worm is difficult as one machine can send out a huge volume of infected messages. Usually, infection rates are calculated by looking at the number of infected e-mails intercepted. In Klez-G's case, this won't quite work, he said.
Users have a few things they can do to prevent infection. First, they should make sure they have the patch for the Outlook vulnerability installed. The hole allows the worm to execute when the message is either opened or viewed through Preview Pane.
Second, virus definitions need to be updated (all the major antivirus companies have had the definitions since last week). Antivirus scanning at the firewall or gateway would make sure the social engineering of the worm doesn't sway users.
Lastly, companies should consider blocking certain file extensions at the gateway. Blocking .pif, .exe, .bat, and .scr files at the gateway will prevent an organization from getting Klez-G and other variants of the worm. Most users won't have to e-mail such files, especially within a business context. For example, .pifs are system files and .scr are screensaver files.
However, such an approach isn't a panacea. A user could conceivably access a Web-based e-mail account and allow the worm in that way, said Roger Thompson, technical director of malicious code research at TruSecure Corp. of Herndon, Va.
Thompson credits luck more than technical savvy to why Klez-G has been able to spread so successfully. The worm's ability to use a variety of subject lines and messages has given it an edge. "In one case, it arrives as a Snoopy game. How could Snoopy be harmful," he said.