[ISN] Worm set for file-eating binge

From: InfoSec News (isnat_private)
Date: Wed Mar 06 2002 - 00:28:55 PST

  • Next message: InfoSec News: "RE: [ISN] [TSCM-L] Security? Huh!"

    By David Becker 
    Staff Writer, CNET News.com
    March 5, 2002, 1:45 PM PT
    Security experts warned of possible widespread damage to PC files when
    the destructive Klez.e worm activates Wednesday.  The new variant on
    the Klez worm went into circulation last month and quickly became one
    of the fastest-spreading worms on the Internet.
    To date, the worm has done little more than propagate itself by
    sending out infected e-mail messages. That will change with the date
    on Wednesday, however, as the worm activates its destructive payload
    and destroys numerous types of files on infected PCs, said Steven
    Sundermeier, product manager for antivirus-software maker Central
    The worm attacks common file types for text documents, spreadsheets,
    graphics and other files on infected PCs.
    "It will overwrite those files with garbage data," Sundermeier said, a
    method that makes it difficult to recover lost information. "It pretty
    much destroys the files."
    The worm is set to deliver its payload on the sixth day of
    odd-numbered months, making this the first time the worm will show its
    destructive power. On the sixth day of January and July, the worm gets
    even nastier and deletes all files on infected PCs.
    Security experts are casting Klez.e as a serious threat because it has
    spread so widely over the past month. E-mail screening firm Message
    Labs ranked the worm as the third most active bug in February,
    intercepting it from more than 21,000 infected messages.
    Central Command had it ranked No. 1, responsible for more than a third
    of all infected e-mails encountered in the past two weeks.
    The initially benign nature of the worm may also mean that many of
    those with infected PCs aren't aware it's there.
    "All it does at first is go ahead and collect e-mail addresses (from
    the infected PC) and send unsolicited e-mail messages with the worm,"  
    Sundermeier said. "So unless someone notifies the user they got one of
    those messages, it will lie dormant."
    Klez.e arrives in an e-mail message with a subject line generated from
    a list of more than 20 keywords. The body of the message is either
    empty or filled with random text.
    The worm attempts to activate itself automatically by exploiting a
    flaw in Microsoft's Outlook e-mail program. A patch for the
    vulnerability is available from Microsoft.
    Once activated, the worm creates a file in the Windows directory of
    the infected PC with a name that begins with "wink" followed by a
    string of random characters and ending in the extension ".exe."
    PC users can do a search for the "wink" file, run up-to-date antivirus
    software, or use a free detection and removal tool from software maker
    Kaspersky Labs.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Mar 06 2002 - 03:10:35 PST