|
-
March 6th, 2002, 03:06 PM
#1
Virus Heads Up
Beware: Worm Set to Strike Wednesday
Antivirus vendors urge updates to guard against file-destroying Klez.
Sam Costello, IDG News Service
Antivirus firms F-Secure and Central Command are warning that the Klez.e worm, which can delete files, halt the work of security programs, and spread itself when an infected e-mail is opened, is set to trigger on Wednesday. Users are urged to update antivirus definitions and scan their PCs as soon as possible.
The Klez worm is much like any other self-propagating, mass mailer worm, in that it harvests e-mail addresses from the Windows address book of infected PCs and sends itself to addresses listed there, according to F-Secure. Unlike some other worms, though, Klez also grabs addresses from the chat program ICQ and appears in in-boxes with multiple subject lines. Among the subject lines Klez uses are "how are you," "let's be friends," "your password," "some questions" and "congratulations," F-Secure said in its alert. The worm even masquerades as a virus alert, the company said.
Advertisement
The worm is automatically executed when an infected message is opened, according to F-Secure, and infected messages are then sent using a Simple Mail Transfer Protocol (SMTP) engine built into Klez. Infected messages do not necessarily have an attachment to open--spreading the worm can occur simply by opening an infected e-mail.
Files Vulnerable
When Klez infects a PC, it installs itself into the registry, infects executable files, and kills the tasks launched by security programs running on the PC. Programs targeted include those offered by Symantec, Network Associates, F-Secure, Sophos, and Trend Micro--all of which market antivirus products. The worm also removes the autostart components of these programs, disabling them, F-Secure said.
Microsoft addressed the Klez worm in a recent update of Internet Explorer. IE versions 5.01 and 5.5 are vulnerable to the worm.
The worm has an even more damaging payload, however, that is activated when a certain combination of dates occurs, according to F-Secure. On the sixth day of odd-numbered months (January, March, May, July, September, November) the worm attempts to overwrite all files on the infected PC that have specific extensions. Among those targeted are such common file types as .txt, .htm, .html, .wab, .doc, .xls, .jpg, .cpp, .c, .pas, .mpg, .mpeg, .bak, and .mp3, according to F-Secure. Wednesday, the sixth day of March, an odd-numbered month, is such a file-deletion day.
Klez has been around since late 2001, though it has gone through a number of variations.
-
March 6th, 2002, 03:57 PM
#2
http://vil.mcafee.com/dispVirus.asp?virus_k=99237&
Mcafee notes that the minimum of dat file 4170 will keep it in check. I am sure the other AV makers have you covered too.
------------------
"A nod is as good as a wink to a blind horse" - Rod Stewart
-
March 6th, 2002, 04:19 PM
#3
You should also be ensuring that you have applied this patch which closes the loophole used by this virus and others.
Thread Information
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
