Kleze.e worm spreading
- 06 March, 2002 12:49
The Klez.e worm is spreading with more than 50 reported cases of infections in Australia, according to Computer Associates virus research manager Jakub Kaminski.
The self-propagating mass mailer worm has made it into CA's top three warning list and users are being advised to update antivirus definitions and scan machines as soon as possible.
Kaminski said the worm was first identified in January this year. Subject lines Klez uses include "how are you" "let's be friends" "your password" "some questions" and "congratulations".
Trend Micro has reported 18,000 infections worldwide with Asia heavily hit.
The company's antivirus expert in Australia Andrew Gordon said the extent of damage is yet to be determined but it is critical for enterprises to have measures in place at the Internet gateway or Microsoft Exchange Server.
"Once the virus has reached the desktop, the damage can be much greater, and it will stay in the ecosystem for some time," he said.
When Klez infects a PC, it installs itself into the registry, infects executable files and kills the tasks launched by security programs running on the PC. Programs targeted include those offered by Symantec, Network Associates, F-Secure, Sophos and Trend Micro. The worm also removes the autostart components of these programs, disabling them.
The worm has an even more damaging payload, however, that is activated when a certain combination of dates occurs, according to F-Secure. On the sixth day of odd-numbered months (January, March, May, July, September, November), the worm attempts to overwrite all files on the infected PC which have the extensions .txt, .htm, .html, .wab, .doc, .xls, .jpg, .cpp, .c, .pas, .mpg, .mpeg, .bak and .mp3, according to F-Secure. Wednesday, the sixth day of March, an odd numbered month, is such a file-deletion day.