codenamec++
05-12-2002, 01:10 AM
The W32.Klez worm, which has now evolved into it's 8th variant (W32/Klez.h@mm) has been upgraded to a high risk security threat by anti-virus response companies Symantec and McAfee.
Similar to other mass-mailing worms, Klez will send itself to all email addresses found on the host computer (some variants even having their own SMTP engine). However, Klez also attempts a 'social engineering' strategy for successful distribution - not only can it spoof the 'From:' field and subject heading (taking subject strings from the other emails on the host computer), but it searches the hard drive for random files (with extentions such as .doc or .jpg etc) and sends them, along with itself, to the obtained addresses (as an attempt to hide itself amongst clean files). This process also makes Klez a serious privacy security threat.
The worm will take advantage of security flaws in mail programs such as Outlook, and even viewing the message in a preview pane can lead to infection. Klez will also try to disable virus scan software, so if it catches a user with out-of-date virus definitions, it will disable and corrupt the software making a re-install necessary - but only after the worm has been removed from the system (see Symantec Klez removal tool as example).
Once Klez has installed itself, it drops the damaging Elkern virus onto the host computer, which then infects and overwrites random files (as does Klez), eventually rendering the system useless. Elkern also tries to spread itself over networked computers, and some variants contain a system destroying payload.
Originating in Asia during October 2001 (from the same region as the Code Red worm), Klez is another attempt at virus evolution and domination on a global scale. When a virus is successful, there are copycat variants which follow, emerging from the virus writing 'community', as well as continued efforts from the original author to improve effectiveness (and pervasiveness). In the recent version of Klez, the author included a text file in the code which reads:
Win32 Klez V2.01 & Win32 Foroux V1.0 Copyright 2002,made in Asia
About Klez V2.01:
1,Main mission is to release the new baby PE virus,Win32 Foroux
2,No significant change.No bug fixed.No any payload.
About Win32 Foroux (plz keep the name,thanx)...
Not bug free,because of a hurry work.No more than three weeks
from having such idea to accomplishing coding and testing.
(Note: Win32 Foroux is the author's name for the Elkern virus).
Unfortunately virus writers will always be around, as will hackers and crackers. If you are a home user and do not use virus scan software, or do not update it regularly, you could be at an extremely high risk of infection (not only from Klez, but all the other many viruses, worms and trojans out there!). Most companies on networks will be sufficiently protected, but Klez is spreading consistently and could show its ugly head in your in-box at any moment (Symantec had been receiving 3000 submissions per day of Klez infection reports by the end of April).
Needless to say, if you are security conscious and use up-to-date virus protection software, you can sit back and relax in relative safety. If you are not, you could be in for a nasty surprise, sooner or later. Virus writers author their code simply to dominate and / or destroy global computer networks, via email and the internet. The 'success' of any given virus is usually calculated by the pervasiveness and destructiveness of the code. The pathology behind this is of minor importance to the potential damage, as already observed by the ILOVEYOU worm and other 'successful' threats.
Some conspiracy theorists have suggested that SARC released their own virus strands to boost software sales, but with the amount of amateur and experienced code writers out there with somewhat dysfunctional personalities, I would say there is plenty of work to be done without creating it yourself!
For more technical information about Klez, visit Symantec or McAfee (www.sarc.com or www.mcafee.com).
Be aware, and be safe!
Kind regards,
C0deNameC++
Similar to other mass-mailing worms, Klez will send itself to all email addresses found on the host computer (some variants even having their own SMTP engine). However, Klez also attempts a 'social engineering' strategy for successful distribution - not only can it spoof the 'From:' field and subject heading (taking subject strings from the other emails on the host computer), but it searches the hard drive for random files (with extentions such as .doc or .jpg etc) and sends them, along with itself, to the obtained addresses (as an attempt to hide itself amongst clean files). This process also makes Klez a serious privacy security threat.
The worm will take advantage of security flaws in mail programs such as Outlook, and even viewing the message in a preview pane can lead to infection. Klez will also try to disable virus scan software, so if it catches a user with out-of-date virus definitions, it will disable and corrupt the software making a re-install necessary - but only after the worm has been removed from the system (see Symantec Klez removal tool as example).
Once Klez has installed itself, it drops the damaging Elkern virus onto the host computer, which then infects and overwrites random files (as does Klez), eventually rendering the system useless. Elkern also tries to spread itself over networked computers, and some variants contain a system destroying payload.
Originating in Asia during October 2001 (from the same region as the Code Red worm), Klez is another attempt at virus evolution and domination on a global scale. When a virus is successful, there are copycat variants which follow, emerging from the virus writing 'community', as well as continued efforts from the original author to improve effectiveness (and pervasiveness). In the recent version of Klez, the author included a text file in the code which reads:
Win32 Klez V2.01 & Win32 Foroux V1.0 Copyright 2002,made in Asia
About Klez V2.01:
1,Main mission is to release the new baby PE virus,Win32 Foroux
2,No significant change.No bug fixed.No any payload.
About Win32 Foroux (plz keep the name,thanx)...
Not bug free,because of a hurry work.No more than three weeks
from having such idea to accomplishing coding and testing.
(Note: Win32 Foroux is the author's name for the Elkern virus).
Unfortunately virus writers will always be around, as will hackers and crackers. If you are a home user and do not use virus scan software, or do not update it regularly, you could be at an extremely high risk of infection (not only from Klez, but all the other many viruses, worms and trojans out there!). Most companies on networks will be sufficiently protected, but Klez is spreading consistently and could show its ugly head in your in-box at any moment (Symantec had been receiving 3000 submissions per day of Klez infection reports by the end of April).
Needless to say, if you are security conscious and use up-to-date virus protection software, you can sit back and relax in relative safety. If you are not, you could be in for a nasty surprise, sooner or later. Virus writers author their code simply to dominate and / or destroy global computer networks, via email and the internet. The 'success' of any given virus is usually calculated by the pervasiveness and destructiveness of the code. The pathology behind this is of minor importance to the potential damage, as already observed by the ILOVEYOU worm and other 'successful' threats.
Some conspiracy theorists have suggested that SARC released their own virus strands to boost software sales, but with the amount of amateur and experienced code writers out there with somewhat dysfunctional personalities, I would say there is plenty of work to be done without creating it yourself!
For more technical information about Klez, visit Symantec or McAfee (www.sarc.com or www.mcafee.com).
Be aware, and be safe!
Kind regards,
C0deNameC++