In April, a new and active strain of the Klez worms surfaced, it's known as Klez.h. It has quickly become the third most wide-spread virus of all time -- infecting over 350,000 systems in less than a month across the globe. If protection measures are not universally enforced quickly, it will soon become the second-most wide-spread virus (passing BadTrans) and be making quick advancement towards number one (SirCam).
The Klez strain of worms was discovered in November 2001. This latest version has spread very rapidly and has the potential to cause severe damage to infected systems. In April alone, Klez variants comprised nearly 78% of all reported virus infections.
Klez takes advantage of a vulnerability in Microsoft Outlook and Outlook Express. However, a patch available from Microsoft has been available to remove this vulnerability for over a year (MS01-020). The proliferation of this worm is due to a lack of enforced security measures both in corporate and private sectors. A simple application of a security hotfix and a virus definition update will prevent further infection.
Additionally, the Klez.h variant is so closely related to its Klez.g predecessor, that most antivirus software products will intercept it even if they have a definition list a few months old.
Klez includes is own SMTP server, so it doesn't have to rely upon the infected system's configuration to spread itself. When a system becomes infected, Klez immediately pilfers the local Outlook/Outlook Express address book and numerous other files on the system and then e-mails itself to every discovered e-mail address (using a randomly selected subject from a list of about 30 possibilities) The infection attachment is usually a .BAT, .EXE, .PIF or .SCR file about 60KB in size. In addition to the infection attachment, the Klez worm also attaches a random document from the infected system to the outgoing e-mail.
The body of the e-mails sent by Klez typically include text similar to the following:
Klez.E is the most common world-wide spreading worm. It's very dangerous by corrupting your files. Because of its very smart stealth and anti-anti-virus technic, most common AV software can't detect or clean it. We developed this free immunity tool to defeat the malicious virus. You only need to run this tool once,and then Klez will never come into your PC.
NOTE: Because this tool acts as a fake Klez to fool the real worm, some AV monitor may cry when you run it. If so, ignore the warning, and select 'continue'. If you have any question,please mail to me.
As you can see, any unsuspecting and trusting person may fall prey to this and install the virus instead of a valid protection tool. Please be warned that you should never install a virus, hotfix or patch e-mailed to you. Always go to the vendor's Web/FTP site and download it from a secured server.
The worm includes three different viruses that can perform the following destructive actions:
- Delete Registry entries and even actual program files for over 50 antivirus scanners and detection utilities
- Infect open shares, mapped files and all executables in the
WindowsSystem folder
- Crash Windows 9x
- Delete files on local or mapped drives on March 13 and September 13 or on a random day (very small chance)
- One variant will not infect self-extracting archives such as .rar and .zip
- One variant has no destructive activities
Removing the worm and virus manually is quite difficult, but most of the major antivirus software vendors have an automated removal tool that removes Klez. If the removal tool fails, they also include detailed instructions on manual removal procedures.
For more information in Klez, see:
securityresponse.symantec.com/avcenter/venc/data/w32.klez.gen@mm.html
www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_KLEZ.H
vil.mcafee.com/dispVirus.asp?virus_k=99455
About the author
James Michael Stewart is a researcher and writer for Lanwrights, Inc.
