Klez Email Worm Disguises Itself With Many Subjects, Senders

[Guest guest]

Klez Email Worm Disguises Itself With Many Subjects, Senders

By Joe Kovacs

© 2002 WorldNetDaily.com

4-26-2

If you're seeing a sudden surge in the amount of e-mail in your inbox,

chances are it has little to do with your popularity.

Delete buttons on personal computers are getting a workout this week thanks

to a tricky e-mail worm tunneling across America and the rest of the world.

Known as " Klez, " the worm has been bombarding mailboxes with unsolicited

messages, replicating itself and changing its own appearance by displaying a

variety of subjects and senders.

" It's a worm that spreads really quickly, " said Sharon Ruckman, senior

director for anti-virus software maker Symantec's security response team.

" And it carries an additional payload that can do some damage. "

That additional payload is a virus known as " Elkern, " which tries to infect

other systems by sharing information. When combined with Klez, the two

create problems that go beyond large amounts of incoming mail.

" It can release confidential information on your system which is never a

good thing to have happen, " Ruckman told WorldNetDaily. " It also has the

ability to remove anti-virus software. "

Klez is more deceptive than some previous problem e-mails, as it has a wide

variety of titles displayed in the subject line, and can latch on to an

e-mail address of someone a user knows and insert it in the " From " field,

making users more apt to open it and thus get infected.

Some of the titles listed in infected e-mails include:

how are you

let's be friends

darling

so cool a flash,enjoy it

your password

honey

some questions

please try again

welcome to my hometown

The Garden of Eden

introduction on ADSL

meeting notice

questionnaire

congratulations

sos!

japanese girl VS playboy

look,my beautiful girl friend

eager to see you

spice girls' vocal concert

japanese lass' sexy pictures

Klez also uses some combinations of random words in subject lines, to make

it even more confusing. The random words include:

new

funny

nice

humour

excite

good

powful

WinXP

IE 6.0

W32.Elkern

W32.Klez.E

Symantec

Mcafee

F-Secure

Sophos

Trendmicro

Kaspersky

Some messages even appear to be trying to help PC users by offering a patch

or removal tool for Klez or Elkern, but are nothing more than the worm

itself.

" They're trying to get people to open it, " Ruckman said regarding the virus

writers' clever deception skills. She adds her company does not e-mail

people randomly with removal tools.

Symantec has ranked Klez at a category 3 medium risk on a scale of 1 to 5,

with 5 being the most dangerous.

" That means it's spreading in the wild more quickly, but it's not as serious

as [other viruses like] or LoveBug, " Ruckman said. She also says the

Nimda virus which debuted last year is still problematic.

According to anti-virus software maker Trend Micro's world virus tracking

center, Elkern and Klez are currently the top two ranked viruses. In the

past 24 hours, they are estimated to have infected over 400,000 files

globally.

Several strategies can be employed in preventing computers from being

infected. Home PC users should avoid opening the messages and delete e-mails

with attachments, especially if something appears strange in the subject or

sender's line.

" Don't be curious about e-mail, " Ruckman said. " Just delete it. " Once

deleted, users should also empty their trash bins.

She also recommends having anti-virus software on your machine, plus the

" latest and greatest software patches, " which can be downloaded from

Microsoft.

Corporate e-mail users can have their system administrators attack the

problem by filtering out certain attachments and subject lines at the

gateway of their mail servers.

If a computer has been infected, free removal tools are available from both

Symantec and Trend Micro.

But despite assurances from anti-virus companies, some organizations like

ACT Teleconferencing in Hong Kong are having trouble curing the problem.

" Irrespective of what Symantec or other vendors say, there has been no way

to stop this worm in the short term, " Bob Deverell of ACT told the South

China Morning Post this week.

" We have been struggling to clean our machines, " he said. " We haven't been

able to stop it and we're very competent. "

http://www.wnd.com/news/article.asp?ARTICLE_ID=27376