Mass-mail worm turns on SAR computers

PUBLISHED : Friday, 19 April, 2002, 12:00am
UPDATED : Friday, 19 April, 2002, 12:00am

Hong Kong computer networks have come under attack from a new variant of the mass-mailing Klez worm, which disables basic anti-virus programs. It has infected computer systems across Asia, North America and Europe.

'This virus activity is still spreading,' said Roy Ko of the Hong Kong Computer Emergency Response Team (HKCert) Co-ordination Centre, which tracks computer network security incidents.

He declined to give the extent of infections in the SAR but said the centre had received nine reports by late yesterday afternoon. These involved companies with a hundred or more personal computer users.

Officials from anti-virus software vendors Symantec, Sophos and Network Associates in Hong Kong and Singapore said their customers had not reported any infections.

But Mr Ko said HKCert had monitored increased infections worldwide based on the decision of some anti-virus makers, such as Trend Micro and Symantec, to classify the new Klez variant as medium risk. Other anti-virus specialists, including Sophos and Network Associates, rated the worm low risk.

Depending on the organisation tracking it, the new worm is known as Klez.K, Klez.I, Klez.H or Klez.G. It is a variant of the three-month-old Klez.F worm, one of the fastest-spreading viruses reported in February and a variant of the original Klez worm first spotted in October last year.

Charles Cousins of Sophos and Abby Tang of Network Associates said the new Klez variant showed an emerging trend for virus authors to write new and improved versions of an existing malicious program, much like making a movie with multiple sequels. One unknown virus author last year wrote 30 different variants of a single malicious program.

The new Klez variant, which is capable of spreading via network connections, arrives as an e-mail message with more than a hundred possible subject lines, including 'darling' and 'how are you'. It exploits a year-old vulnerability in Microsoft's Outlook and Outlook Express programs to search for addresses and vulnerable server computers.

A recipient need not double-click on the message to get infected because the malicious program has its own engine to send and replicate itself.

Its payload - or damaging feature - replaces legitimate executable programs on a computer with its own malicious code. This ensures that it will launch again. The original programs are copied to files with new random file extensions and properties that hide them from normal directory displays.

The worm is known to disable virus scanners and some previously distributed worms, such as W32.Nimda and CodeRed, by stopping any active processes.

It can spread through a network by copying itself through shared computer drives. It carries a second virus known as ElKern, which is deposited on compromised PCs and is launched again.

David Sykes, managing director for Symantec North Asia, said: 'We call the new Klez variant a blended threat, which means that the author has bolted together the characteristics of viruses, worms, Trojan horses and malicious code with server and Internet vulnerabilities to initiate, transmit and spread an attack.

'By using multiple methods and techniques, blended threats can spread rapidly and cause widespread damage.'

British firm MessageLabs, a managed services provider specialising in enterprise e-mail security that scans more than three million messages a day, reported that the first infections of the new Klez variant were found in Asia yesterday.