* via http://theMezz.com/lists

New "Klez" still clobbering PC users

By Robert Lemos
Staff Writer, CNET News.com
April 24, 2002, 12:25 PM PT

More than a week after it first started spreading, the latest variant of the Klez worm 
continues to infect PC users that haven't taken steps to protect themselves.
While the number of computers infected by the Klez.H variant falls short of such 
epidemics as the LoveLetter worm, the virus has still shown surprising resiliency, 
said Steve Trilling, director of antivirus software maker Symantec's security response 

"It is still going very strong," he said. "We got half the submissions from the last 
10 days in the last two days...It is definitely not dropping off."

 The Klez variant has generated nearly 20,000 incident reports from Symantec customers 
in a little over a week, Trilling said. Included in that number are 250 corporations 
that have multiple infections.

In total, Klez reports make up 75 percent of all reports that the company receives, 
easily putting it at the top spot for threats.

The ability of even a ho-hum virus to spread effectively across the Internet may speak 
volumes about the ill-preparedness of home users and many corporations to deal with 
even old security threats.

Computer users who have antivirus software and have updated the software's virus 
definitions--information used to recognize viruses--are immune to the latest Klez 
variant. Trilling wouldn't say whether users' failure to update their software after 
Klez's first emergence was responsible for the increase in Klez infections, but he did 
say it's a leading reason for the continued spread of older viruses.

The Klez worm doesn't contain any new tricks that could account for its success, said 
David Perry, director of education for antivirus software maker Trend Micro.

"It's pretty surprising actually," he said. "It is just a minor variant of 
Klez...There is nothing very special about the technologies included in it."

Trend Micro's Worldwide Virus Tracking Center, a Web service that reports incidents of 
a virus infection aggregated from calls to Trend Micro's customer support and any 
instances found by its online virus scanner, says the Klez.H worm--which Trend Micro 
calls Klez.G--is currently its second most reported virus. An outbreak in Italy of the 
JS.Exception Javascript virus tops the list.

"We are a little puzzled that it is still showing up," he said. "I would say that 
someone is vigorously seeding this virus." However, Perry added that, while the way 
that Klez is infecting computers seems to indicate that the worm is being "seeded" or 
spread by design, he had no evidence that this was indeed the case.

The variant of the Klez worm, which started spreading early last week, arrives as an 
attachment to an e-mail message. While the virus doesn't harm data on a computer it 
infects, it can send out a random file from the PC as an attachment along with the 
e-mail that carries the worm, potentially leaking confidential information from an 
infected computer.

The worm randomly chooses a subject line from more than 100 possibilities, uses many 
different file names when attaching itself to a message and mails the messages off to 
e-mail addresses that it culls from files on the infected machine. In addition, Klez 
is able to "spoof," or replace, the sender's e-mail address with an address found on 
the infected PC.

Alex Shipp, antivirus technologist for U.K.-based e-mail service provider MessageLabs, 
pointed to these abilities of the virus as key reasons for its virulence.

"When people hear there is a virus out there, they look for a specific subject line 
and message," he said. The different subject lines and file names prevent victims from 
recognizing that a message contains the virus, Shipp said, pointing to the LoveLetter 
virus, which spread in May 2000, as one that could be easily recognized.

The spoofing function also makes it harder for people who receive an infected e-mail 
to contact the sender to let them known they are infected, he said.

"Normally, you'd tell the people (who sent the virus) to stop, but the people in the 
sender's box aren't the one's sending it," Shipp said. "You may get an e-mail from 
Aunt Mabis, but it's not Aunt Mabis that is infected."

Still, the Klez outbreak fails to be an epidemic of the magnitude of LoveLetter, Shipp 

"We are seeing viruses at a rate of about 1 per 200 e-mails," he said. "When the Love 
Bug hit that was 1 in 28 e-mails." For its time, LoveBug, also known as LoveLetter, 
was more technologically advanced than Klez.

--via http://techPolice.com
archive: http://theMezz.com/cybercrime/archive
subscribe: [EMAIL PROTECTED]
--via http://theMezz.com

This email was sent to: archive@jab.org

EASY UNSUBSCRIBE click here: http://topica.com/u/?b1dhr0.b2EDp2
Or send an email to: [EMAIL PROTECTED]

T O P I C A -- Register now to manage your mail!

Reply via email to