, Newsbytes 2002-04-17
Virus watchers say a variant of an already common Windows worm has begun making its way around the Internet, and this time it's packing the ability to replace legitimate executable programs with its own malicious code.Anti-virus companies said today that Klez.H is a revamped version of the three-month-old Klez.E worm, which is itself traced back to a mass-mailing worm first spotted in October of 2001.
F-Secure Corp. reported that Klez.H was first spotted in Asia today and is probably now spreading to Europe and North America.
All variants of the Klez worms can arrive attached to e-mail sporting one of several different subject lines, or spread within local networks by copying itself to shared computer drives.
The Klez worms also carry with them variants of a second virus known as ElKern, which Klez deposits on compromised PCs and then launches.
Other versions of Klez carried a destructive payload that saw it begin a mass-destruction of files on infected computers on the 13th day of even-numbered months.
Symantec's Security Response team reported that the new incarnation doesn't destroy other files. Instead it replaces legitimate executable files with its own code, helping to ensure that it will launch again. The original legitimate programs are copied to files with new random file extensions and properties that hide them from normal directory displays.
The Klez worms can take advantage of a year-old bug in some versions of the Internet Explorer browser to launch automatically when users simply view the worm's bogus e-mail. The browser is used to display HTML-formatted mail in programs such as Outlook Express.
While the anti-virus companies say their software can spot all versions of Klez, its ability to disable some virus-checking software can make it difficult to clean up once it gets a foothold on a PC.
Symantec's information on Klez.H is here: http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.h (at) mm (dot) html [email concealed]
Kaspersky's information is here: http://www.viruslist.com/eng/viruslist.html?id=4292 .
F-Secure's is here: http://www.f-secure.com/v-descs/klez_h.shtml .
Information on the Internet Explorer vulnerability is here: http://www.microsoft.com/technet/security/bulletin/MS01-020.asp .
Reported by Newsbytes.com, http://www.newsbytes.com .