Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Worm set for file-eating binge

From: InfoSec News <isn () c4i org>
Date: Wed, 6 Mar 2002 02:28:55 -0600 (CST)
http://news.com.com/2100-1001-852306.html

By David Becker 
Staff Writer, CNET News.com
March 5, 2002, 1:45 PM PT

Security experts warned of possible widespread damage to PC files when
the destructive Klez.e worm activates Wednesday.  The new variant on
the Klez worm went into circulation last month and quickly became one
of the fastest-spreading worms on the Internet.

To date, the worm has done little more than propagate itself by
sending out infected e-mail messages. That will change with the date
on Wednesday, however, as the worm activates its destructive payload
and destroys numerous types of files on infected PCs, said Steven
Sundermeier, product manager for antivirus-software maker Central
Command.

The worm attacks common file types for text documents, spreadsheets,
graphics and other files on infected PCs.

"It will overwrite those files with garbage data," Sundermeier said, a
method that makes it difficult to recover lost information. "It pretty
much destroys the files."

The worm is set to deliver its payload on the sixth day of
odd-numbered months, making this the first time the worm will show its
destructive power. On the sixth day of January and July, the worm gets
even nastier and deletes all files on infected PCs.

Security experts are casting Klez.e as a serious threat because it has
spread so widely over the past month. E-mail screening firm Message
Labs ranked the worm as the third most active bug in February,
intercepting it from more than 21,000 infected messages.

Central Command had it ranked No. 1, responsible for more than a third
of all infected e-mails encountered in the past two weeks.

The initially benign nature of the worm may also mean that many of
those with infected PCs aren't aware it's there.

"All it does at first is go ahead and collect e-mail addresses (from
the infected PC) and send unsolicited e-mail messages with the worm,"  
Sundermeier said. "So unless someone notifies the user they got one of
those messages, it will lie dormant."

Klez.e arrives in an e-mail message with a subject line generated from
a list of more than 20 keywords. The body of the message is either
empty or filled with random text.

The worm attempts to activate itself automatically by exploiting a
flaw in Microsoft's Outlook e-mail program. A patch for the
vulnerability is available from Microsoft.

Once activated, the worm creates a file in the Windows directory of
the infected PC with a name that begins with "wink" followed by a
string of random characters and ending in the extension ".exe."

PC users can do a search for the "wink" file, run up-to-date antivirus
software, or use a free detection and removal tool from software maker
Kaspersky Labs.




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.
Previous By Date Next
Previous By Thread Next

Current thread: