April 19, 2002 1:10 PM PDT
Klez virus passes confidential info
Known as Klez.g, Klez.h and Klez.k, depending on the security advisory, the newest incarnation has spread worldwide, sending itself in e-mail messages with infected documents attached.
Occasionally the documents contain sensitive material, said an advisory from Kaspersky Labs.
"Klez.h poses a special threat: The worm scans the disks of an infected computer and, depending on a set of conditions, attaches a file to each infected e-mail it distributes," stated the advisory.
Text, HTML (Hypertext Markup Language), Adobe Acrobat and Excel files are included in the types of documents that the virus can forward, but other files that the worm could attach--such as JPEG and MPEG files--are less likely to contain important information.
Representatives of Kaspersky Labs were not available for comment.
This is not the first time a virus has leaked information, however. The SirCam worm, which is still spreading among computers on the Internet, also attached itself to documents and forwarded on the infected files to potential victims.
Security-software maker Symantec upgraded on Wednesday the latest variant, which it labeled W32.Klez.h, to a threat level of three from a previous rating of two. The company categorizes threats on a scale of one, the lowest threat, to five.
However, Vincent Weafer, senior director of Symantec's Security Response team, on Friday said they haven't been able to reproduce the information-leaking function of the worm that Kaspersky Labs is claiming.
"It is nothing that we have seen in our lab," he said. "It definitely data mines files for e-mail addresses, but we haven't seen it attach files. We will keep doing some additional testing in this area."
E-mail security firm MessageLabs said the Klez.h worm had proliferated "dramatically" during the day Friday.
MessageLabs, based in the United Kingdom, first detected the new variant on Monday from an Internet address in China. Most antivirus vendors, such as Symantec, McAfee and Sophos, have offered Klez.h patches since Wednesday.
MessageLabs said it stopped two copies of Klez variants on Monday. Since Wednesday afternoon the number of copies rose sharply, gathering pace on Friday. The firm said it stopped several thousand copies on Friday, for a total of more than 46,000 copies by Friday afternoon--or nearly one in every 77 e-mails. The United Kingdom topped its list with more than 5,000 copies stopped, followed by Hong Kong and the United States.
The worm arrives in an e-mail message with one of 120 possible subject lines.
In many circumstances, the worm doesn't need the victim to open it in order to run. Instead, it takes advantage of a 12-month-old vulnerability in Microsoft Outlook, known as the Automatic Execution of Embedded MIME Type bug, to open itself automatically on un-patched versions of Outlook.
The program will also cull e-mail addresses by searching a host of different file types on the infected PC. Using its own mail program, the worm will send itself off to those e-mail addresses. In addition, it will use the addresses to create a fake "From:" field in the e-mail message, disguising the actual source of the e-mail.
The worm also attempts to disable antivirus software by deleting registry keys, stopping running processes and removing virus-definition files.
Finally, the worm drops a second virus on the computer and spreads to other disk drives connected to the PC over an internal network.
Matthew Broersma of ZDNet UK contributed to this report.