The virus that won’t die: Klez

The klez worm is approaching its seventh month of wriggling across the Web, making it one of the most persistent viruses ever. And experts warn that it may be a harbinger of new viruses that use a combination of pernicious approaches to go from PC to PC.

Antivirus software makers Symantec Corp. and McAfee both report more than 2000 new infections daily, with no sign of letup at press time. The British security firm MessageLabs Ltd. estimates that 1 in every 300 e-mail messages holds a variation of the Klez virus, and says that Klez has already surpassed last summer’s SirCam as the most prolific virus ever.

And some newer Klez variants aren’t merely nuisances -they can carry other viruses in them that corrupt your data.

How it Works

Klez is an example of a blended threat: software that distributes itself like a virus but sometimes behaves like a worm and at other times like a Trojan horse.

Klez usually arrives in the in-boxes of unsuspecting victims as a file attachment. It uses various subject lines, including “Klez removal tool”. Some variants also draw subject lines from random words in files on a victim’s hard drive.

When the victim double-clicks the attachment, or even just previews the message, the fun begins for Klez. It pilfers addresses from the victim’s e-mail address books, and also searches the hard drive for addresses from the Web browser cache or temporary files.

What makes Klez particularly insidious is that it draws both a new sender and a new recipient from the infected party’s sources. This creates at least three victims: the person who first got the worm, the one who is sent the worm, and the one whose address was taken from the original victim and is used as the new sender.

Because the infected sender’s address is not on the new e-mail, the worm is difficult to track. And blocking the return address is ineffective, because that person didn’t send the worm. Worse, the innocent sender may well be someone you know, making you more likely to open the message, click on the attachment, and perpetuate the virus.

“These types of social-engineering tricks are extremely effective,” says virus researcher Sarah Gordon. People don’t want to ignore a friend or colleague, she says. “They feel compelled to look at an attachment-even though they’ve heard the warning.”

In the months since Klez was first identified, antivirus vendors have discovered seven versions of the virus. These strains share many behavioral traits but act slightly differently from one another. For example, some later versions can attack other systems over networks by copying infected files to file servers and shared hard drives. One of the newest variants, W32.Klez.H@mm, contains another worm called ElKern that can damage an operating system beyond repair. In some instances, users must reformat the entire hard drive and reinstall Windows to purge the virus from a PC.

Can You Fight Back?

With these types of blended threats, it’s not enough just to update your antivirus software’s data definitions regularly; you need comprehensive security protection, including both privacy and intrusion protection, according to Vincent Weafer, senior director of Symantec Security Response. Users who also make it a habit to install new security patches are better equipped to defend their PCs against the kinds of worms that attack well-known Windows weaknesses.

But even if you take all appropriate measures, others who have your e-mail address in their books may not. You won’t get the worm, but you will still get neutralized and irritating notes in your in-box.

There’s little you can do to prevent such e-mail from reaching you; however, your ISP may be able to help. Some ISPs use so-called antivirus appliances that are capable of filtering millions of messages and stopping infected ones from getting to your in-box.

But ultimately, each of us who uses a PC is responsible, in a small way, for preserving our neighbors’ security-by keeping our own PC clean.

– Regularly update your antivirus software.

– Install the latest IE and Outlook/Outlook Express security patches.

– Look for messages with attachments that range in size between 110KB and 150KB.

– Watch for odd subject lines that are atypical of those you normally receive.

– Use a product such as SpamKiller to screen your mail and make deleting suspicious notes easier.