More trouble in store for Klez sufferers

PUBLISHED : Wednesday, 09 October, 2002, 12:00am
UPDATED : Wednesday, 09 October, 2002, 12:00am

Nothing blows away the cobwebs like a virus. Receiving one which corrupts or destroys files and generally causes mayhem is enough to enliven even the most jaded computer user.

Viruses come in an array of fancy and humorous names from Linux.Slapper.Worm to Backdoor.Zenmaster. But the one under scrutiny this week, which is the bane of security experts and has been dubbed 'the baddest virus on earth', sounds more like a sexually transmitted disease.

Introducing Klez, that is if you do not already have it. This particular breed of malicious code gets around.

Supposedly the most active virus in recent history, it has already infected nearly 10 per cent of computers worldwide and the number of victims continues to grow.

Like most prolific computer pests, Klez uses what has been called 'social engineering' to get the user to run the attached file containing the virus code.

That means playing on the user's desire for wealth, power or affection.

The Love Bug virus tried to hoodwink the recipient into believing a secret admirer had dispatched a love letter. Other viruses promise easy money or skin like a model's.

The Klez virus however is a master of seduction, its repertoire comprising more than just one come-on line. It has 120, among them the saccharine 'honey' and the deceptively familiar 'some questions'. So far so fiendish.

It gets worse. What truly makes Klez vile beyond the scope of the most expressive online insult generator is this: in many cases, the Klez worm does not even need you to open it to run.

Instead, it exploits a weak spot in Microsoft Outlook Express known as (deep breath) the Automatic Execution of Embedded MIME Type bug, opening itself automatically when viewed in the preview pane of an unpatched version of Outlook.

Curiously, the first thing Klez does is to check whether your computer is already infected with Nimda or Code Red. If it is, Klez kills them.

While this may smack of compassion, in fact it is just clearing the field of rivals that may compete for resources. Nimda and Code Red, while both a threat in their own right, are nowhere near as mean as Klez, which hunts for any network storage available on the infected computer and replicates itself to remote disk drives using a random file name.

Klez will also cull e-mail addresses and, using its own mail program, send itself to them. Worse still, it will even use the addresses to create a fake From: field in the e-mail message, disguising its true source.

Recipients of infected e-mail, unaware that the From information is sham - or even that they have received a virus - have been clogging networks with livid and bewildered e-mail, which triggers chaos.

People being signed up for newsletters and mailing lists that they never subscribed to has been a major source of frustration for users and the list owners. If Klez happens to send an e-mail From a user to an e-mail list's automatic subscription address, the list software assumes the e-mail is a valid subscription request and begins sending mail to the user.

In a final twist, this remarkably thorough worm will try to cripple anti-virus software by deleting registry keys, stopping running processes and removing virus-definition files.

Thanks to its devious dynamism, Klez has evolved into a network curse on a global scale. The worm was exposed in spring last year. A year later it became recognised as one of the most dangerous and widespread viruses unleashed on the Internet.

If Klez has got its claws into you, go to

tool.html and download a program which will mend the damage, or try to.

Alas, it appears that the deviant responsible for the virus is still working on it, because newer variants of Klez feature self-encryption algorithms to make detection harder.

Confused by computer jargon? E-mail with your questions.