Virus Update: F-Secure Maintains Level 2 Alert on Klez.H
April 23, 2002
F-Secure Corporation is maintaining a "Level 2" alert status for the Klez.H virus, which has been spreading around the world for a week. Klez.H is a mass-mailing Windows worm, which can generate massive amounts of e-mail traffic. Found in the wild on April 17 in various countries in Asia, the worm has been spreading globally, with infections reported especially heavily in the USA, UK and Central Europe.
"It looks like Klez.H is going to be around for a while, probably months," commented Mikko Hypponen, Manager of Anti-Virus Research at F-Secure. "It hasn't shown much sign of slowing down over the past few days, although all major antivirus programs detect it already, proving that there are lots of users out there without up-to-date anti-virus protection".
Klez.H is the eighth in a series of viruses written by an individual, operating most likely from mainland China or Hong Kong. The first virus in this family was found in October 2001. Most of the viruses in the Klez family have spread worldwide. Klez.H, like other Klez viruses, spreads as an e-mail attachment. On some systems the attachment can execute automatically when the e-mail is read.
Although it uses a long list of different e-mail subjects, Klez.H even sometimes puts random text as the e-mail subject. The worm can generate different types of e-mails that look like they have been sent by people or by companies. The name of the attachment is random, but always has the extension BAT, PIF, SCR or EXE.
Klez.H sometimes picks data files (such as Word documents or JPG pictures) from the infected machine and attaches them to the messages it sends out. This results in confidential information being disclosed to third parties. This means that Klez.H might sometimes spread other viruses unintentionally. For example, if a user has DOC files infected with a macro virus, Klez might send them to third parties, spreading the macro virus even further.
F-Secure Corporation continues to monitor Klez.H, maintaining the status as a Level 2 alert under the F-Secure Radar alerting system. Level 1 is the highest level of alert.
F-Secure Anti-Virus detects and disinfects the worm. Users can also combat Klez and similar viruses by updating their web browser and e-mail client with the latest security patches. System administrators can stop Klez and many similar threats by filtering dangerous e-mail attachment types either at the firewall or at the e-mail gateway level.
F-Secure is distributing a free tool to disinfect Klez. This program, as well as technical description and screenshots of the Klez virus is available at http://www.F-Secure.com/v-descs/klez_h.shtml
Copyright © 2002; Business Wire