[ISN] New Klez worm squirms across Internet

From: InfoSec News (isnat_private)
Date: Fri Apr 19 2002 - 01:38:32 PDT

  • Next message: InfoSec News: "Re: [ISN] Q&A: Microsoft Senior VP Paul Flessner on Trustworthy Computing"

    By Robert Lemos 
    Staff Writer, CNET News.com
    April 17, 2002, 11:30 AM PT
    A new variant of the Klez worm managed to squirm into computers in
    some parts of Asia on Tuesday and appeared to be spreading in the
    United States as of Wednesday.
    Alternately known as Klez.g, Klez.h and Klez.k, depending on the
    security advisory that's referring to it, the worm has its own e-mail
    engine to mass mail itself to potential victims, and it also attempts
    to deactivate some antivirus products. The worm can also spread to
    shared drives connected to PCs via local area networks or LANs.
    While the e-mail message in which the worm gift-wraps itself is
    relatively standard, its ability to elude most antivirus products has
    enabled it to spread fairly widely, said Alex Shipp, an antivirus
    technologist for U.K.-based e-mail service provider MessageLabs.
    "The author has changed enough of the bits to get past most virus
    programs," Shipp said.
    While MessageLabs rates the virus as a low threat, Shipp said the
    rating is updated periodically, and he expects it to reach a high
    rating when it does update. The company first detected the malicious
    attachment late Monday and has seen the spread of the worm gradually
    Different variants of the Klez worm have generally been among the Top
    3 antivirus threats since the first version of the worm was released
    in January. The Klez.e variant, which appeared last February, was
    particularly voracious, quickly becoming one of the fastest-spreading
    worms on the Internet.
    Security-software maker Symantec upgraded the latest variant, which it
    labeled W32.Klez.H, to a threat level of three from a previous rating
    of two. The company categorizes threats on a scale of one, the lowest
    threat, to five.
    A worm of many subjects The worm arrives in an e-mail message with one
    of 120 possible subject lines. There are 18 different standard subject
    headings, including "let's be friends," "meeting notice," "some
    questions," and "honey."  On top of those, seven other patterns exist,
    such as "a x game" and "a x patch," where x can be one of 16 different
    words, including "new,"  "WinXP," and the name of any of six major
    antivirus companies.
    In many circumstances, the worm doesn't need the victim to open it in
    order to run. Instead, it takes advantage of a 12-month-old
    vulnerability in Microsoft Outlook, known as the Automatic Execution
    of Embedded MIME Type bug, to open itself automatically on unpatched
    versions of Outlook.
    The malicious program will find any network storage available on the
    infected PC and copy itself to the remote disk drives using a random
    file name and a .EXE, .PIF, .COM, .BAT, .SCR or .RAR extension.  
    Occasionally, the file name will include a double extension.
    The program will also cull e-mail addresses by searching a host of
    different file types on the infected PC. Using its own mail program,
    the worm will send itself off to those e-mail addresses. In addition,
    it will use the addresses to create a fake "From:" field in the e-mail
    message, disguising the actual source of the e-mail.
    Finally, the worm attempts to disable antivirus software by deleting
    registry keys, stopping running processes and removing
    virus-definition files.
    Clues in the code The worm also sports a message in its code from the
    author, who brags that it only took three weeks to create the
    malicious program.
    The author claims the virus originated in Asia and may have bugs
    because of how fast he created it.
    MessageLabs' own data points to China as the source of the first
    e-mails containing the worm.
    By noon PST, major antivirus vendors had updated their virus
    definitions to recognize the newest Klez variant. However, in most
    cases, users will have to initiate an update to download the newest
    definitions and be protected
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Apr 19 2002 - 05:26:04 PDT