Revamped Klez worm reappears

A variant of a worm that takes advantage of preventable vulnerabilities in Microsoft Corp.’s Internet Explorer and Outlook Express software is spreading, antivirus vendors are warning.

The new version, the Win32.Klez.H@mm worm, is a variant of the mass-mailing Klez worm that surfaced last year. The Klez worm reappears periodically, most recently appearing in March, when it caused minimal damage. Like the earlier version, the newest Klez spreads via e-mail and travels across files on a network.

Both versions of Klez insert a variety of subject lines in its infected messages, including one that masquerades as a virus alert. It pulls e-mail addresses from Outlook address books and even America Online Inc.’s ICQ chat application, according to the antivirus vendors. Then it propagates by sending itself to the pilfered addresses.

Klez tries to disable any antivirus programs installed on a PC that it infects. The worm removes the start-up registry keys that antivirus products use, according to representatives of Symantec Corp., which markets Norton Antivirus. Symantec Security Response is rating this variant of Klez a three on its danger scale of five, rendering it a “medium” risk.

The Klez.H attachment is sometimes accompanied by another virus, called W32.Elkern, which can infect network files. It will cause system crashes if activated, the antivirus vendors say.

The original Klez itself reoccurs periodically, note antivirus experts at the security firm F-Secure. It activates on the sixth day of odd-numbered months, trying to overwrite certain file types on infected PCs.

Antivirus vendor Kaspersky Lab says it has received reports of infections by the newest Klez in Europe and Asia.

The latest virus data files from leading antivirus vendors should protect users against this variant, the vendors say.

Also, Microsoft addressed the vulnerability that Klez exploits in recent patches for IE versions 5.01 and 5.5, which are vulnerable to the worm. Microsoft offers a free download to address those vulnerabilities.