Today was one of that days. Someone, at the place i work, opened a KLEZ.H
infected message using Outlook Express.
It was a matter of seconds. The virus spread rapidly throughout the LAN
and, almost every computer running winblows and belonging to the
respective workgroup (about six computers), got infected. Either by Klez
or its payload,
Elkern-C. Some of them stoped working properly.
Being at the end of the working day, all I could do was to shut down all
of them.
I asked the recipient which was the respective nessage. He
searched through the message index and said "I think this was the
one". I pointed the mouse to it and clicked. And realized that this was
simply the action that triggered the virus.
Up until now I was thinking that dumb Outlook users click on the
respective attachement and it gets executed without warning. The truth is
more horrifying. One gets infected just by *opening* or even *previewing*
the message. Just by clicking on the message title in the message list,
like anyone of us would do with any mailer, including Arachne, in order
to view the message's contents. In fact, the person does not even realize
the message had a harmful attachement. However, this not Outlook's fault,
as one may think, but Internet Explorer's!!!
The message consists of 4 parts
1. A 0 bytes long text part
2. A HTML frame which embeds item no. 3
3. An item disguised as an image or midi file,(by the MIME type)
belonging to no. 2. In fact it is the executable containing the virus.
4. A document chosen randomly from sender's "My Documents" folder.
When the unfortunate recipient tries to open the message, Outlook opens
no.2 and calls Internet Explorer's API to display it. When IE gets to open
no 3, it treats it like any image or song, and does not ask the user if it
should be displayed or not. It openes the item and sees it's an
executable (how "smart"!) and executes it. Then gives control to Outlook.
The mailer picks item no 4 and, normally, asks the user what to do with
it.
This is a nasty security hole in Internet Explorer. This browser may
download and execute without notice, from any screwed site, an application
disguided as a nice image. It's the case with the Nimda worm.
This bug existed since v4. There were issued patches inside service
packs for every version since. What is really weird is that it
prob'ly continues to exist today inside v6.
No further comments.
Cristian Burneci
