The klez worm is approaching its seventh month of wriggling across the Web, making it one of the most persistent viruses ever. And experts warn that it may be a harbinger of new viruses that use a combination of pernicious approaches to go from PC to PC.
Antivirus software makers Symantec Corp. and McAfee both report more than 2000 new infections daily, with no sign of letup at press time. The British security firm MessageLabs Ltd. estimates that 1 in every 300 e-mail messages holds a variation of the Klez virus, and says that Klez has already surpassed last summer's SirCam as the most prolific virus ever.
And some newer Klez variants aren't merely nuisances -they can carry other viruses in them that corrupt your data.
How it Works
Klez is an example of a blended threat: software that distributes itself like a virus but sometimes behaves like a worm and at other times like a Trojan horse.
Klez usually arrives in the in-boxes of unsuspecting victims as a file attachment. It uses various subject lines, including "Klez removal tool". Some variants also draw subject lines from random words in files on a victim's hard drive.
When the victim double-clicks the attachment, or even just previews the message, the fun begins for Klez. It pilfers addresses from the victim's e-mail address books, and also searches the hard drive for addresses from the Web browser cache or temporary files.
What makes Klez particularly insidious is that it draws both a new sender and a new recipient from the infected party's sources. This creates at least three victims: the person who first got the worm, the one who is sent the worm, and the one whose address was taken from the original victim and is used as the new sender.
Because the infected sender's address is not on the new e-mail, the worm is difficult to track. And blocking the return address is ineffective, because that person didn't send the worm. Worse, the innocent sender may well be someone you know, making you more likely to open the message, click on the attachment, and perpetuate the virus.
"These types of social-engineering tricks are extremely effective," says virus researcher Sarah Gordon. People don't want to ignore a friend or colleague, she says. "They feel compelled to look at an attachment-even though they've heard the warning."
In the months since Klez was first identified, antivirus vendors have discovered seven versions of the virus. These strains share many behavioral traits but act slightly differently from one another. For example, some later versions can attack other systems over networks by copying infected files to file servers and shared hard drives. One of the newest variants, W32.Klez.H@mm, contains another worm called ElKern that can damage an operating system beyond repair. In some instances, users must reformat the entire hard drive and reinstall Windows to purge the virus from a PC.