Dangerous Klez worm could compromise sensitive data

The latest variants of the Klez worm have developed some teeth and are starting to bite organizations connected to the Internet. See how this worm could leak sensitive files from your organization and learn how to combat it.

Now in its third or fourth version, the initially innocuous Klez worm is turning nasty, as vandals tweak both the mode of attack and the payload. Most important, at least one security firm reports that the newest version of this worm will sometimes share your confidential files with others.

The big change came when W32.Klez.H@mm (Symantec’s name) was developed from W32.Klez.E@mm, which first showed up in mid-January 2002.

Klez.E was a basic mass-mailing worm that could overwrite files and create hidden copies of them. Symantec said that W32.Klez.H@mm also plants W32.Elkern.3587, a virus that is “similar to W32.ElKern.3326.”

32.Klez.H@mm is capable of spreading by e-mail and network shares. It can also infect files, but it goes one step further: Not only does it e-mail a copy of itself to addresses randomly selected from the victim’s address book, but it also sometimes randomly selects another file from the victim’s computer and sends that as a second attachment.

McAfee recently recognized the H-variant of Klez and upped the threat rating of this worm from low to medium based on the number of infections. Symantec, Trend Micro, and other antivirus vendors have also upgraded the threat of the latest variations of Klez.

Fortunately, although Klez is dangerous, it's relatively easy to remove. Symantec has provided a Klez-specific removal tool free of charge. Any antivirus software updated in January or early February to deal with the Klez worm variant released at the end of January 2002 will probably block this new variation. McAfee and several other antivirus vendors explicitly state that their existing virus definitions will block the latest strains of Klez.

When a system is infected, Klez.H copies itself to \%System%\Wink<random characters>.exe, which usually means it is found in C:\Windows\System or C:\Winnt\System32. The worm also inserts one or more lines of code into the registry, which activate the worm. Further, Klez.H attempts to deactivate a number of antivirus utilities by blocking their startup registry keys.

Klez.H makes copies of itself on the system and any attached network computers using a random filename with a double extension. The worm then distributes itself using Microsoft Outlook with ICQ and Windows Address Book addresses. Every element of the Outlook e-mail message created by Klez is chosen randomly, including the subject line, message body, and even the attachment names.

When the worm attaches a second user file to the e-mail, the file is randomly selected from those with any of 10 to 15 extensions, including word processing (such as .doc), spreadsheet (such as .xls), PDF, text, and some imaging files. Obviously, this could easily result in confidential corporate files being sent across the Internet by Klez.

The U.K.-based MessageLabs managed e-mail service provider reported a dramatic increase in attacks from the worm on Friday, April 19, having seen a total of 46,000 copies late that day. The company also reports that it first encountered Klez.H in an e-mail originating from the United States.

The W32.Elkern.3587 virus (with a random name) planted on systems by Klez.H will activate on March 13 and September 13. If not removed before either date (no year specified), the payload of the virus will crash the computer and attempt to destroy all files on local or mapped drives.

The McAfee site describing Klez.H has a much longer list of antivirus programs that the worm will attempt to disable than the Symantec site provides. The McAfee description also lists a different set of possible subject lines that the worm may randomly select. That doesn’t mean that either description is incorrect, merely that a vast number of variations is possible, so you can’t see this worm coming and filter it based on subject line.

F-secure reports that the worm contains the following text hidden within the code but that the message is never displayed:
“Win32 Klez V2.01 & Win32 Foroux V1.0
 Copyright 2002,made in Asia
 About Klez V2.01:
 1,Main mission is to release the new baby PE virus,Win32 Foroux
 2,No significant change.No bug fixed.No any payload.
 About Win32 Foroux (plz keep the name,thanx)
 1,Full compatible Win32 PE virus on Win9X/2K/NT/XP'
 2,With very interesting feature.Check it!
 3,No any payload.No any optimization'
 4,Not bug free,because of a hurry work.No more than three weeks
   from having such idea to accomplishing coding and testing'”

Mitigating factors
Since you have to open an e-mail containing the infection to be affected by the worm, you can avoid it simply by practicing good e-mail procedures. If you never open attachments you aren’t expecting, it’s difficult to catch most worms, including Klez.

Of course, Microsoft programs may open infected files for you if you aren’t careful; for instance, if you failed to apply patch MS01-020, Microsoft Outlook or Outlook Express will automatically open and execute the attached worm. In that case, unless you have an up-to-date antivirus program installed, your systems will be infected.

The other important mitigating factor is that if you have updated your antivirus software within the past month, you're probably protected against this worm. Obviously, a lot of organizations don’t follow safe e-mail procedures or keep their virus signature files updated, because this is a fast-spreading worm that is nailing a lot of mailboxes.

Final word
This worm is particularly dangerous because, as it develops, each version becomes more destructive and also because it is difficult to recognize the incoming e-mail. In addition to damaging files, the latest version randomly transmits unmodified files from the victim’s computer, and these files may contain confidential information.