Klez.e worm threat appears to be contained

Symantec Corp. said it considered the Klez.e worm a relatively low threat, though a spokesman said the company had received many calls from clients who had encountered it.

The worm was set to cause havoc today, according to several well-publicized alerts. But for the most part, damage doesn’t seem to be widespread. Nonetheless, Symantec upgraded the risk factor from a level two to a three out of a possible five because so many clients had encountered it.

The worm can delete files, halt the work of security programs and spread itself when an infected e-mail is opened. According to Symantec’s alert, the worm exploits a vulnerability in Microsoft Outlook and Outlook Express as it tries to execute itself when a message is opened in which it is contained.

While there seems to heightened public awareness of these kind of attacks, Vincent Weafer, a senior director at Cupertino, Calif.-based Symantec, said there aren’t many more viruses or worms than in recent years. About seven new viruses or worms enter the world every day, which is only up from five per day a few years ago.

“It is increasing very slowly,” Weafer said. “At any given time there are between 200 to 250 viruses in the wild. But [the numbers] have been growing very slowly over the last couple of years.”

Weafer said the greater connectivity and the widespread use of Digital Subscriber Lines tend to lead to the perception that there are more attacks being launched than ever before. He said that because there are more people using the global connectivity of the Web, viruses tend to hang around longer, which also leads to the perception that there are more of them.

As for why so many worms seem to target Outlook, he said it’s a simple case of “hammering a known vulnerability.” As more people deploy patches, attackers will use other paths. He also thinks that more attackers will rely less on social engineering to spread viruses and try to make the viruses themselves look for ways to spread.

The Klez.e worm’s use of its Simple Mail Transfer Protocol engine is an example of this, Weafer said.

Marty Lindner, team leader for incident handling at the CERT Coordination Center at Carnegie Mellon University in Pittsburgh, said he hadn’t heard much about the Klez.e worm. CERT hasn’t issued an alert or a bulletin, he said.

Symantec is at http://www.symantec.com/