'Quick-change artist' worm spreading fast via e-mail
April 27, 2002
A rogue computer program that is the online equivalent of a quick-change artist is infecting computers around the world via e-mail and clogging computer networks.
The program, W32/KLEZ.H, is a "blended threat," combining elements of a virus that infects machines and a worm that transports itself from machine to machine. It also tries to disable some anti-virus programs.
It makes itself hard for users to spot by changing its e-mail subject line, message and name of the attachment at random, drawing from a database that includes, for example, such subject lines as "Hello, honey," and "A very funny website."
The program has grown increasingly common as users unknowingly activate it -- sometimes without even opening the e-mail attachment that carries the virus -- and allow it to send copies of itself to those in the victim's e-mail address file.
"It is exploding," said Keith Peer, chief executive of Central Command, a computer security company.
The rapid spread of the program caused Symantec and McAfee.com, two prominent computer protection companies, to upgrade their warnings about it in recent days.
Symantec said on its Web site that it now considered the program a "category 4" risk, its second-highest ranking.
The program exploits vulnerable spots in computer programs, most notably a problem in earlier versions of Microsoft's mail programs, Outlook and Outlook Express that allows some types of computer programs to be activated even if they are in the "preview pane."
The program can also grab files randomly from victims' hard drives and send them out, but it does little damage to the machines themselves, anti-virus companies have reported.
Microsoft has had patches available to fix these problems for more than a year, but many people do not keep their software up to date, said Vincent Weafer, the director of research at Symantec Security Response.
Although most anti-virus software programs already provided protection against the Klez family, the new variant has enough new wrinkles to trick some of the digital sentries.
The latest versions of software have been updated to block the worm, and the companies offer free online tools to cleanse infected machines.
By JOHN SCHWARTZ. Copyright © 1999-2002 Seattle Post-Intelligencer