New "Klez" still clobbering PC users

[InfoSec News <isn () c4i org>]

http://news.com.com/2100-1001-891030.html?tag=fd_top

By Robert Lemos 
Staff Writer, CNET News.com
April 24, 2002, 12:25 PM PT

More than a week after it first started spreading, the latest variant
of the Klez worm continues to infect PC users that haven't taken steps
to protect themselves.

While the number of computers infected by the Klez.H variant falls
short of such epidemics as the LoveLetter worm, the virus has still
shown surprising resiliency, said Steve Trilling, director of
antivirus software maker Symantec's security response team.

"It is still going very strong," he said. "We got half the submissions
from the last 10 days in the last two days...It is definitely not
dropping off."

The Klez variant has generated nearly 20,000 incident reports from
Symantec customers in a little over a week, Trilling said. Included in
that number are 250 corporations that have multiple infections.

In total, Klez reports make up 75 percent of all reports that the
company receives, easily putting it at the top spot for threats.

The ability of even a ho-hum virus to spread effectively across the
Internet may speak volumes about the ill-preparedness of home users
and many corporations to deal with even old security threats.

Computer users who have antivirus software and have updated the
software's virus definitions--information used to recognize
viruses--are immune to the latest Klez variant. Trilling wouldn't say
whether users' failure to update their software after Klez's first
emergence was responsible for the increase in Klez infections, but he
did say it's a leading reason for the continued spread of older
viruses.

The Klez worm doesn't contain any new tricks that could account for
its success, said David Perry, director of education for antivirus
software maker Trend Micro.

"It's pretty surprising actually," he said. "It is just a minor
variant of Klez...There is nothing very special about the technologies
included in it."

Trend Micro's Worldwide Virus Tracking Center, a Web service that
reports incidents of a virus infection aggregated from calls to Trend
Micro's customer support and any instances found by its online virus
scanner, says the Klez.H worm--which Trend Micro calls Klez.G--is
currently its second most reported virus. An outbreak in Italy of the
JS.Exception Javascript virus tops the list.

"We are a little puzzled that it is still showing up," he said. "I
would say that someone is vigorously seeding this virus." However,
Perry added that, while the way that Klez is infecting computers seems
to indicate that the worm is being "seeded" or spread by design, he
had no evidence that this was indeed the case.

The variant of the Klez worm, which started spreading early last week,
arrives as an attachment to an e-mail message. While the virus doesn't
harm data on a computer it infects, it can send out a random file from
the PC as an attachment along with the e-mail that carries the worm,
potentially leaking confidential information from an infected
computer.

The worm randomly chooses a subject line from more than 100
possibilities, uses many different file names when attaching itself to
a message and mails the messages off to e-mail addresses that it culls
from files on the infected machine. In addition, Klez is able to
"spoof," or replace, the sender's e-mail address with an address found
on the infected PC.

Alex Shipp, antivirus technologist for U.K.-based e-mail service
provider MessageLabs, pointed to these abilities of the virus as key
reasons for its virulence.

"When people hear there is a virus out there, they look for a specific
subject line and message," he said. The different subject lines and
file names prevent victims from recognizing that a message contains
the virus, Shipp said, pointing to the LoveLetter virus, which spread
in May 2000, as one that could be easily recognized.

The spoofing function also makes it harder for people who receive an
infected e-mail to contact the sender to let them known they are
infected, he said.

"Normally, you'd tell the people (who sent the virus) to stop, but the
people in the sender's box aren't the one's sending it," Shipp said.  
"You may get an e-mail from Aunt Mabis, but it's not Aunt Mabis that
is infected."

Still, the Klez outbreak fails to be an epidemic of the magnitude of
LoveLetter, Shipp added.

"We are seeing viruses at a rate of about 1 per 200 e-mails," he said.  
"When the Love Bug hit that was 1 in 28 e-mails." For its time,
LoveBug, also known as LoveLetter, was more technologically advanced
than Klez.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.