An independent survey suggests that 7.2% of the world’s
computers have been infected by the many variations of the Klez
worm, making it more widespread than Sircam or Nimda, according to
Panda Software, an anti-virus software developer that commissioned
the survey. Internet security specialist Symantec Security has
upgraded Klez to a level 4 virus threat on a scale of 1 to 5, with
5 being the most dangerous.
Klez.H spreads by sending itself as an attachment to e-mail
addresses found in the Windows address book, the ICQ database, and
local files. It is also capable of changing the sender's address to
that of any other found in the system so that the apparent sender
of the infected message may not even have been infected by the
worm. The e-mail arrives with a random subject line. The worm
randomly chooses a file from the infected machine to send along
with the worm to recipients. It spreads through network share
drives and is capable of infecting files.
The latest variant, Klez.I, also randomly overwrites executable
files in the system and releases a polymorphic virus called
W32/Elkern.C, which is capable of infecting a large number of
files. All of this may not cause visible damage during the initial
phases of the attack, so the user might not realise that they have
been hit. In the longer term, however, an infection from this virus
could cause problems that prevent the computer from functioning
properly. Klez.I can even block some applications that are in
memory when the attack takes place.
Panda warns that it is important to remember that the attached
file containing the Klez.I virus executes simply when the message
is viewed in the preview pane. This is due to a known vulnerability
in Microsoft Internet Explorer. Panda Software advises all users to
immediately update their anti-virus software before
opening their e-mail programs and reading or previewing any
e-mail.
