Klez's reign appears to be waning, though users should still be cautious of unsolicited e-mails, security experts said.
For more than 10 days, variants of the Klez worm have infected thousands of systems around the world. Some carried payloads capable of destroying executable files. Discerning the messages carrying the malicious code wasn't easy as it used randomly generated subject lines and attachment names.
A survey by Panda Software quantifies the rate of infection. Panda said its research found that 7.2% of computers in world are infected with the worm. Symantec had about 14,000 submissions of the virus by Friday including 500 from corporate customers. By far, the worm is responsible for the biggest outbreak this year.
Users can learn a few lessons from Klez.H. For starters, the worm highlighted the need to keep antivirus definitions updated. All the major antivirus software vendors had updated their signature files well before the worm took off. The worm generated random subject lines and messages, unlike "ILOVEYOU" or "Anna Kournikova," making good antivirus protection very important, said Steve Trilling, senior director of research at Symantec's Security Response.
Users should also keep on top of patching software. Klez's spread, in part, can be traced to the way it exploited a flaw in Outlook that would execute the malicious code by viewing it through the Preview Pane. Symantec advises users to be proactive in their patching.
"A lot of people will only install a patch to solve a problem they are having," Trilling said.
Finally, e-mail users need to be cautious about opening attachments even if they come from people they know. As Klez.H shows, one can't always trust that an e-mail comes from the person who it appears to. Such trust with opening attachments is a cultural point that will have to change, Trilling said.
Trust no one
Klez is capable of harvesting e-mail addresses from the cached Web pages and files of infected systems. Messages may appear to come from a friend, when in fact it comes from an infected system belonging to someone who has your friend's e-mail address.
Over time, people will become more suspicious of unsolicited e-mails with attachments much as they would be cautious with a strange package that arrives, Trilling added.
"Imagine you were walking down a street. Someone comes up and says they are from the World Health Organization and offers you a pill saying you will never be sick again if you take it. No one would swallow the pill," Trilling said.
Reasons abound for why Klez seemed to gain ground to an extent that no other virus has this year. For starters, the worm took advantage of a common flaw in Microsoft Outlook. Users with the vulnerable e-mail application could infect their systems simply by viewing the message through the Preview Pane or opening the e-mail. In other words, one wouldn't have to double click on the attachment to execute it.
The worm also targets antivirus software files so this could also account for Klez's spread, said Patrick Hinojosa, CTO of Panda Software. Some versions of the worm carried the Elkern virus, malicious code that targets files with the names of the major antivirus companies.
Klez.H is also effective in harvesting e-mail addresses from infected machines. Beside pillaging the Microsoft address book and the ICQ database, the worm searched for e-mail addresses in a host of files including documents, text files and even cached Web pages. As a result, the worm can send out a barrage of e-mails from one infected machine using its own SMTP engine.
Each e-mail sent has a randomly selected subject line and name for the attachment carrying the worm. The lines use a variety of subject lines from promises of pictures of the sender?s girlfriend to patches.
One reason for why Klez.H spread so much could be employees accessing home e-mail accounts from work, said Chris Rouland, director of Internet Security Systems (ISS) research team, X Force. Such activity is another "attack vector" for malicious code as it bypasses most companies? security features.
Blocking Web-based e-mail accounts would be "very Draconian," Rouland admits. But companies could easily set up a way to temporary block access when a major worm like Klez.H is making its way around.