May 28, 2002 11:55 AM PDT
Klez.h wins sibling rivalry
- Related Stories
Chernobyl virus rides Klez's coattailsMay 6, 2002
Survey: Klez worm tops SirCam, NimdaApril 29, 2002
New "Klez" still clobbering PC usersApril 24, 2002
Klez virus passes confidential infoApril 19, 2002
New Klez worm squirms across InternetApril 17, 2002
SirCam worm still a serious threatSeptember 5, 2001
Year of the WormMarch 15, 2001
Combined, the H and I variants of the original Klez worm had already shot past SirCam on the list of most-widespread worms. But Klez.h is proving to be the favorite child.
MessageLabs' servers have been blocking up to 20,000 copies of the worm every working day since late April--the month Klez.h appeared--stopping more than 800,000 copies to date. At the height of SirCam's reign, MessageLabs was grabbing more than 10,000 copies of that worm a day.
"We do have more customers now than when SirCam was out," said Alex Shipp, antivirus technologist at MessageLabs. "But even adjusting for that, we believe Klez is the more widespread."
By the time its run began to slow, SirCam had infected millions of computers worldwide and had caused at least a billion dollars in damages related to cleaning infected systems and to lost productivity.
Klez.h, however, is primarily affecting home users and small businesses, said Shipp. "There appears to be very few corporates infected."
Master of disguise
The remarkable success of Klez.h is largely the result of the different methods it uses to disguise itself and spread.
"There are a lot of people on the Internet without any virus protection whatsoever, and they tend to avoid viruses by recognizing subject lines and content," said Shipp. But that's where the contents of Klez.h's disguise kit come into play.
First of all, Klez.h hides behind one of 120 possible e-mail subject lines. There are 18 different standard subject headings the worm uses, including "let's be friends," "meeting notice," "some questions," and "honey." On top of those, Klez.h uses seven other patterns, such as "a x game" and "a x patch," where x can be one of 16 different words, including "new," "WinXP," and the name of any of six major antivirus companies.
Klez.h also forges the name of the e-mail's sender. The worm searches a host of different file types on the infected PC to come up with e-mail addresses from which to grab aliases. It also sends itself to those addresses, using its own mail program.
And as far as the content part of the e-mail goes, Klez.h also plays tricks with its file name. The malicious program finds any network storage available on the infected PC and copies itself to the remote disk drives using a random file name and a .EXE, .PIF, .COM, .BAT, .SCR or .RAR extension. Occasionally, the file name will include a double extension.
On top of all that, in some circumstances, Klez.h doesn't even need the victim to open it in order to run. Instead, it takes advantage of a 12-month-old vulnerability in Microsoft Outlook--known as the Automatic Execution of Embedded MIME Type bug--to open itself automatically on unpatched versions of Outlook.
And the worm even goes after antivirus software, deleting registry keys, stopping running processes and removing virus-definition files.
A final problem with Klez.h is that--because of the forged senders' names--many people are unaware that their PCs are infected. "Everybody who receives the virus is alerting everybody else, but the person who owns the infected PC remains blissfully unaware because everybody is alerting the wrong person," said Shipp. "In the past someone would eventually tell you if you had a virus, but you cannot count on this happening any more."
It's unclear, though, why Klez.h has been so much more successful than its sibling, which uses some of the same techniques Klez.h exploits so well.
Klez.i made its debut on the same day Klez.h was released into the wild. "But we only ever saw two copies of Klez.i," said Shipp. "Meanwhile, Klez.h has gone bananas. Why one has made it and the other (has) not we don't know. It might be that the virus writer seeded the different versions to different e-mail groups, and one was more active, so that virus reached a critical mass."
Recommendations for fighting Klez variants include running updated antivirus software, making sure the proper security patches are installed for Microsoft Outlook, and running a standalone virus checker, such as Symantec's downloadable Klez removal tool.
ZDNet U.K.'s Matt Loney reported from London.