Out-Law / Your Daily Need-To-Know

Klez variants infect 7.2% of all computers, says anti-virus developer

29 Apr 2002, 12:00 am

An independent survey suggests that 7.2% of the world’s computers have been infected by the many variations of the Klez worm, making it more widespread than Sircam or Nimda, according to Panda Software, an anti-virus software developer that commissioned the survey. Internet security specialist Symantec Security has upgraded Klez to a level 4 virus threat on a scale of 1 to 5, with 5 being the most dangerous.

Klez.H spreads by sending itself as an attachment to e-mail addresses found in the Windows address book, the ICQ database, and local files. It is also capable of changing the sender's address to that of any other found in the system so that the apparent sender of the infected message may not even have been infected by the worm. The e-mail arrives with a random subject line. The worm randomly chooses a file from the infected machine to send along with the worm to recipients. It spreads through network share drives and is capable of infecting files.

The latest variant, Klez.I, also randomly overwrites executable files in the system and releases a polymorphic virus called W32/Elkern.C, which is capable of infecting a large number of files. All of this may not cause visible damage during the initial phases of the attack, so the user might not realise that they have been hit. In the longer term, however, an infection from this virus could cause problems that prevent the computer from functioning properly. Klez.I can even block some applications that are in memory when the attack takes place.

Panda warns that it is important to remember that the attached file containing the Klez.I virus executes simply when the message is viewed in the preview pane. This is due to a known vulnerability in Microsoft Internet Explorer. Panda Software advises all users to immediately update their anti-virus software before opening their e-mail programs and reading or previewing any e-mail.