| Home | About Us | Products | Support | Downloads | Resellers | Links |
|
|
|
||||||||
|
|
|||||||||
|
|||||||||
F-Secure Corporation (HEX:FSC) is still monitoring the Klez.H virus, which has been spreading around the world for a week. Klez.H is a mass-mailing Windows worm, which can generate massive amounts of e-mail traffic.
Klez.H was found in the wild on April 17th in various countries in Asia. After that, the worm has been spreading globally. In addition to Asia, infections have been reported especially in the USA, UK and Central Europe.
"It looks like Klez.H is going to be around for a while - probably months," comments Mikko Hypponen, Manager of Anti-Virus Research at F-Secure. "It hasn't shown much sign of slowing down over the past few days although all major antivirus programs detect it already - proving that there are lots of users out there without up-to-date anti-virus protection".
Klez is 8th in a series of viruses written by an individual, operating most likely from mainland China or Hong Kong. The first virus in this family was found in October 2001. Most of the viruses in the Klez family have spread worldwide. Klez.H, like other Klez viruses, spreads as an e-mail attachment. On some systems the attachment can execute automatically when the e-mail is read.
Klez.H has a long list of different e-mail subjects it uses when sending itself around. Sometimes Klez puts random text as the e-mail subject. The worm can generate different types of e-mails that look like they have been sent by people or by companies. Also, the name of the attachment used by Klez.H is random, but always has the extension BAT, PIF, SCR or EXE.
Klez.H also sometimes picks data files (such as Word documents or JPG pictures) from the infected machine and attaches them to the messages it sends out. This results in confidential information being disclosed to third parties. This means that Klez.H might sometimes spread other viruses unintentionally. For example, if a user has DOC files infected with a macro virus, Klez might send them to third parties, spreading the macro virus further.
F-Secure Corporation is still maintaining Klez.H as a Level 2 alert under the F-Secure Radar alerting system. Level 1 is the highest level of alert.
F-Secure Anti-Virus detects and disinfects the worm. Users can also combat Klez and similar viruses by updating their web browser and e-mail client with the latest security patches. System administrators can stop Klez and many similar threats by filtering dangerous e-mail attachment types either at the firewall or at the e-mail gateway level.
F-Secure is distributing a free tool to disinfect Klez. This program, as well as technical description and screenshots of the Klez virus is available at http://www.F-Secure.com/v-descs/klez_h.shtml