April 24, 2002 12:25 PM PDT
New "Klez" still clobbering PC users
While the number of computers infected by the Klez.H variant falls short of such epidemics as the LoveLetter worm, the virus has still shown surprising resiliency, said Steve Trilling, director of antivirus software maker Symantec's security response team.
"It is still going very strong," he said. "We got half the submissions from the last 10 days in the last two days...It is definitely not dropping off."
The Klez variant has generated nearly 20,000 incident reports from Symantec customers in a little over a week, Trilling said. Included in that number are 250 corporations that have multiple infections.
In total, Klez reports make up 75 percent of all reports that the company receives, easily putting it at the top spot for threats.
The ability of even a ho-hum virus to spread effectively across the Internet may speak volumes about the ill-preparedness of home users and many corporations to deal with even old security threats.
Computer users who have antivirus software and have updated the software's virus definitions--information used to recognize viruses--are immune to the latest Klez variant. Trilling wouldn't say whether users' failure to update their software after Klez's first emergence was responsible for the increase in Klez infections, but he did say it's a leading reason for the continued spread of older viruses.
The Klez worm doesn't contain any new tricks that could account for its success, said David Perry, director of education for antivirus software maker Trend Micro.
"It's pretty surprising actually," he said. "It is just a minor variant of Klez...There is nothing very special about the technologies included in it."
"We are a little puzzled that it is still showing up," he said. "I would say that someone is vigorously seeding this virus." However, Perry added that, while the way that Klez is infecting computers seems to indicate that the worm is being "seeded" or spread by design, he had no evidence that this was indeed the case.
The variant of the Klez worm, which started spreading early last week, arrives as an attachment to an e-mail message. While the virus doesn't harm data on a computer it infects, it can send out a random file from the PC as an attachment along with the e-mail that carries the worm, potentially leaking confidential information from an infected computer.
The worm randomly chooses a subject line from more than 100 possibilities, uses many different file names when attaching itself to a message and mails the messages off to e-mail addresses that it culls from files on the infected machine. In addition, Klez is able to "spoof," or replace, the sender's e-mail address with an address found on the infected PC.
Alex Shipp, antivirus technologist for U.K.-based e-mail service provider MessageLabs, pointed to these abilities of the virus as key reasons for its virulence.
"When people hear there is a virus out there, they look for a specific subject line and message," he said. The different subject lines and file names prevent victims from recognizing that a message contains the virus, Shipp said, pointing to the LoveLetter virus, which spread in May 2000, as one that could be easily recognized.
The spoofing function also makes it harder for people who receive an infected e-mail to contact the sender to let them known they are infected, he said.
"Normally, you'd tell the people (who sent the virus) to stop, but the people in the sender's box aren't the one's sending it," Shipp said. "You may get an e-mail from Aunt Mabis, but it's not Aunt Mabis that is infected."
Still, the Klez outbreak fails to be an epidemic of the magnitude of LoveLetter, Shipp added.
"We are seeing viruses at a rate of about 1 per 200 e-mails," he said. "When the Love Bug hit that was 1 in 28 e-mails." For its time, LoveBug, also known as LoveLetter, was more technologically advanced than Klez.