[ISN] New "Klez" still clobbering PC users

From: InfoSec News (isnat_private)
Date: Thu Apr 25 2002 - 01:08:37 PDT

  • Next message: InfoSec News: "[ISN] Air Force cadets face hackers in cyberbattle"

    By Robert Lemos 
    Staff Writer, CNET News.com
    April 24, 2002, 12:25 PM PT
    More than a week after it first started spreading, the latest variant
    of the Klez worm continues to infect PC users that haven't taken steps
    to protect themselves.
    While the number of computers infected by the Klez.H variant falls
    short of such epidemics as the LoveLetter worm, the virus has still
    shown surprising resiliency, said Steve Trilling, director of
    antivirus software maker Symantec's security response team.
    "It is still going very strong," he said. "We got half the submissions
    from the last 10 days in the last two days...It is definitely not
    dropping off."
    The Klez variant has generated nearly 20,000 incident reports from
    Symantec customers in a little over a week, Trilling said. Included in
    that number are 250 corporations that have multiple infections.
    In total, Klez reports make up 75 percent of all reports that the
    company receives, easily putting it at the top spot for threats.
    The ability of even a ho-hum virus to spread effectively across the
    Internet may speak volumes about the ill-preparedness of home users
    and many corporations to deal with even old security threats.
    Computer users who have antivirus software and have updated the
    software's virus definitions--information used to recognize
    viruses--are immune to the latest Klez variant. Trilling wouldn't say
    whether users' failure to update their software after Klez's first
    emergence was responsible for the increase in Klez infections, but he
    did say it's a leading reason for the continued spread of older
    The Klez worm doesn't contain any new tricks that could account for
    its success, said David Perry, director of education for antivirus
    software maker Trend Micro.
    "It's pretty surprising actually," he said. "It is just a minor
    variant of Klez...There is nothing very special about the technologies
    included in it."
    Trend Micro's Worldwide Virus Tracking Center, a Web service that
    reports incidents of a virus infection aggregated from calls to Trend
    Micro's customer support and any instances found by its online virus
    scanner, says the Klez.H worm--which Trend Micro calls Klez.G--is
    currently its second most reported virus. An outbreak in Italy of the
    JS.Exception Javascript virus tops the list.
    "We are a little puzzled that it is still showing up," he said. "I
    would say that someone is vigorously seeding this virus." However,
    Perry added that, while the way that Klez is infecting computers seems
    to indicate that the worm is being "seeded" or spread by design, he
    had no evidence that this was indeed the case.
    The variant of the Klez worm, which started spreading early last week,
    arrives as an attachment to an e-mail message. While the virus doesn't
    harm data on a computer it infects, it can send out a random file from
    the PC as an attachment along with the e-mail that carries the worm,
    potentially leaking confidential information from an infected
    The worm randomly chooses a subject line from more than 100
    possibilities, uses many different file names when attaching itself to
    a message and mails the messages off to e-mail addresses that it culls
    from files on the infected machine. In addition, Klez is able to
    "spoof," or replace, the sender's e-mail address with an address found
    on the infected PC.
    Alex Shipp, antivirus technologist for U.K.-based e-mail service
    provider MessageLabs, pointed to these abilities of the virus as key
    reasons for its virulence.
    "When people hear there is a virus out there, they look for a specific
    subject line and message," he said. The different subject lines and
    file names prevent victims from recognizing that a message contains
    the virus, Shipp said, pointing to the LoveLetter virus, which spread
    in May 2000, as one that could be easily recognized.
    The spoofing function also makes it harder for people who receive an
    infected e-mail to contact the sender to let them known they are
    infected, he said.
    "Normally, you'd tell the people (who sent the virus) to stop, but the
    people in the sender's box aren't the one's sending it," Shipp said.  
    "You may get an e-mail from Aunt Mabis, but it's not Aunt Mabis that
    is infected."
    Still, the Klez outbreak fails to be an epidemic of the magnitude of
    LoveLetter, Shipp added.
    "We are seeing viruses at a rate of about 1 per 200 e-mails," he said.  
    "When the Love Bug hit that was 1 in 28 e-mails." For its time,
    LoveBug, also known as LoveLetter, was more technologically advanced
    than Klez.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Apr 25 2002 - 04:09:51 PDT