|
PureBytes Links
Trading Reference Links
|
Everyone,
Please be warned about Klez virus (description below).
I also received many copies of this new virus but HAVEN'T opened any single one.
I have strong firewall and antivirus software installed and never open any mailcious attachments.
You may receive an e-mail with "From" field pointing to one of @amibroker.com addresses
but the copy is not from me.
This virus uses the addresses from infected computer address book to create a fake "From:" field in the e-mail message, disguising
the actual source of the e-mail.
I myself received e-mails from @amibroker.com that I haven't sent. Apparantly someone had me in his mail box and this virus
used it.
============== more details ===========
Klez worm's on the loose again
By Robert Lemos
Special to ZDNet News
April 17, 2002, 12:00 PM PT
A new variant of the Klez worm managed to squirm into computers in some parts of Asia on Tuesday and appeared to be spreading in the
United States as of Wednesday.
Alternately known as Klez.g, Klez.h and Klez.k, depending on the security advisory that's referring to it, the worm has its own
e-mail engine to mass mail itself to potential victims, and it also attempts to deactivate some antivirus products. The worm can
also spread to shared drives connected to PCs via local area networks or LANs.
While the e-mail message in which the worm gift-wraps itself is relatively standard, its ability to elude most antivirus products
has enabled it to spread fairly widely, said Alex Shipp, an antivirus technologist for U.K.-based e-mail service provider
MessageLabs.
The author has changed enough of the bits to get past most virus programs," Shipp said.
While MessageLabs rates the virus as a low threat, Shipp said the rating is updated periodically, and he expects it to reach a high
rating when it does update. The company first detected the malicious attachment late Monday and has seen the spread of the worm
gradually increase.
Different variants of the Klez worm have generally been among the Top 3 antivirus threats since the first version of the worm was
released in January. The Klez.e variant, which appeared last February, was particularly voracious, quickly becoming one of the
fastest-spreading worms on the Internet.
Security-software maker Symantec upgraded the latest variant, which it labeled W32.Klez.H, to a threat level of three from a
previous rating of two. The company categorizes threats on a scale of one, the lowest threat, to five.
A worm of many subjects
The worm arrives in an e-mail message with one of 120 possible subject lines. There are 18 different standard subject headings,
including "let's be friends," "meeting notice," "some questions," and "honey." On top of those, seven other patterns exist, such as
"a x game" and "a x patch," where x can be one of 16 different words, including "new," "WinXP," and the name of any of six major
antivirus companies.
In many circumstances, the worm doesn't need the victim to open it in order to run. Instead, it takes advantage of a 12-month-old
vulnerability in Microsoft Outlook, known as the Automatic Execution of Embedded MIME Type bug, to open itself automatically on
unpatched versions of Outlook.
The malicious program will find any network storage available on the infected PC and copy itself to the remote disk drives using a
random file name and a .EXE, .PIF, .COM, .BAT, .SCR or .RAR extension. Occasionally, the file name will include a double extension.
The program will also cull e-mail addresses by searching a host of different file types on the infected PC. Using its own mail
program, the worm will send itself off to those e-mail addresses. In addition, it will use the addresses to create a fake "From:"
field in the e-mail message, disguising the actual source of the e-mail.
Finally, the worm attempts to disable antivirus software by deleting registry keys, stopping running processes and removing
virus-definition files.
Clues in the code
The worm also sports a message in its code from the author, who brags that it only took three weeks to create the malicious program.
The author claims the virus originated in Asia and may have bugs because of how fast he created it.
MessageLabs' own data points to China as the source of the first e-mails containing the worm.
By noon PST, major antivirus vendors had updated their virus definitions to recognize the newest Klez variant. However, in most
cases, users will have to initiate an update to download the newest definitions and be protected.
Best regards,
Tomasz Janeczko
amibroker.com
|