February 11, 2002 12:30 PM PST
Klez worm reborn as nastier version
The variant, carried by e-mail and known as Klez.e, overwrites victims' files with random content on the sixth day of odd-numbered months. It can spread automatically on Windows systems that use an unpatched version of Microsoft's Internet Explorer.
"The latest version, Klez.e, (poses) the most serious threat to computer safety," said Moscow-based antivirus company Kaspersky Labs.
Though antivirus companies discovered the Klez.e variant in late January, its tenacity has prompted Kaspersky Labs to release an antivirus tool to remove it.
Based on how many instances of each worm and virus the company has intercepted in the past 24 hours, U.K.-headquartered mail service provider MessageLabs ranks Klez.e fourth on its top 10 list, behind Sircam, BadTrans and Magistr--old worms that continue to plague the Internet. However, the company has intercepted fewer than 400 copies of Klez.e.
In the same 24 hours, BadTrans popped up about 750 times, and Sircam made about 1,600 appearances.
Klez.e arrives in an e-mail message with a subject heading generated from a list of more than 20 keywords or forged to look like the heading on an undelivered message. The body of the message is empty or has random text.
"That's the way it runs automatically, but it still could come onto your system," said Vincent Weafer, senior director of antivirus firm Symantec's security response team. In that instance, a dialog box would appear, asking computer users if they want to run a program called Klez.e. Users should, of course, click no.
Microsoft patched the IE hole last March, so any Windows system that has been recently updated should be immune to the worm's auto-infecting function. Weafer said Klez is in the top 10 but has caused only one-eighth as many reports as BadTrans.
The worm infects Windows archive files with a copy of itself. It also attempts to circumvent antivirus programs and defeat some competing worms by shutting them down if they're found running.
"It tends to attack the user-interface component, but in most cases the real-time scanner is still active," Weafer said. Antivirus software consists of two basic components: the real-time scanner, which catches viruses that attempt to run, and an application with an interface that allows PC users to scan their machine for infections.
Hence, Klez.e "becomes a pain more than a real threat," Weafer said. Symantec has updated virus definitions that are available to protect against the worm.
Microsoft Windows users should run Windows Update to ensure they are protected against the auto-executing features of this worm.