Annoying Worm Writer Wants Job

April 19, 2002

The latest virus to hit e-mail inboxes is little more than a slight variant of a year-old virus. But it's beginning to resemble never-ending installments of a lousy horror movie series with only minor plot variations.

But antiviral firms are reporting that the latest variant of Klez is spreading rapidly, just as its most recent predecessor did just last month.

"Klez is starting to feel like Nightmare on Elm Street," said Nick Anders, a British technical support supervisor. "There always seems to be a new version. It's never particularly clever, but that doesn't stop it from being successful."

The latest version of Klez has been dubbed "Klez.g" or "Klez.h," by various antiviral companies. But it can be easily identified by a message in the e-mail that carries the virus attachment, which states that the attachment is an antidote to the Klez virus.

One trick employed in recent versions of the virus is spoofing e-mail "From" information. E-mails containing the recent version of Klez typically appear to have been sent from antiviral software companies, or from persons known to the recipient.

Antiviral experts say that when a computer or a network is infected, Klez picks up addresses from the infected system and inserts them into the "From" line of e-mails. Viewing the entire e-mail header does display the actual senders' e-mail address.

The latest version of Klez also includes a second virus, "Elkern," which attempts to infect all executable files on an infected machine, and can delete the contents of infected drives on March 13 and September 13.

The creator, or creators, of Klez continuously tinkers with the virus. Typically, there is a message buried in the virus' code. The contents of this message has varied –- at different times the writer has included a plea for a job, a rant about how little money the virus writer is making or tech notes to anti-viral researchers pointing out the newly added features.

Klez's creator appears to have released the original worm as a bizarre sort of job application.

The first versions of the worm, spotted in October 2001, contained this message, visible only during an analysis of its code: "I'm sorry to do this but it's helpless to say sorry. I want a good job. I must support my parents. Now you have seen my technical capabilities. How much my year-salary now? No more than $5,500. What do you think of this fact? Don't call me names, I have no hostility. Can you help me?"

The latest version of Klez contains a less whiny message, claiming the worm was made in Asia and advising antiviral firms that the virus was "Not bug free, because of a hurry work. No more than three weeks from having such idea to accomplishing coding and testing."

He also boasted that there was a new and "very interesting" feature included. Anti-viral experts said they'd yet to identify anything particularly interesting.

Recent versions of Klez employ a variety of random subject lines. The version that is on the loose this week can also vary subject lines, but so far the e-mail has contained one standard message warning about the danger of the Klez worm and advising users to execute the attached "antidote" file.

The text of the e-mailed message also includes a note telling users to ignore any warnings from antiviral software companies that the attachment is infected. The message reads: "Note: Because this tool acts as a fake Klez to fool the real worm, some AV monitors maybe cry when you run it. If so, ignore the warning, and select 'continue.'"

The virus can launch automatically when users open the infected e-mails on systems that have not been patched for a year-old vulnerability in Internet Explorer, Outlook and Outlook Express.

Once active, Klez uses its own mailing engine to send e-mails to addresses in the infected machine's Windows Address Book. It is also capable of infecting networks, which qualifies Klez as a hybrid virus/worm.

Antiviral firms reported that the worm began spreading again in Asia late Monday. Most antiviral companies rated Klez as a moderate to high threat on Thursday morning.

Another version of Klez, released last month, topped all the antiviral companies "most active" charts in March.

Klez can be detected or removed by updated antiviral programs.

Some companies have also released removal programs specifically to purge Klez. F-Secure's free removal tool is directly downloadable from the company's FTP site (Zip file). F-Secure asks that users read the KLEZTOOL.TXT file included in the Zip archive before using the tool.