As card-carrying members of the caste of information workers, creative professionals rely heavily on e-mail services. A steady stream of messages is necessary for the everyday functioning of our business. So something that could disrupt that flow, might give us pause, right?
My concern of the moment is the W32/Klez worm and its many variants, one that keeps gaining in virulence and reach. Still, after taking a small, ad hoc poll, I found almost no content creator was aware of the worm, understood its actions and its potential for mischief.
Klez 101
According to the Internet’s virus watchdog agency, the CERT Coordination Center, the Klez worm has gained momentum over the past half a year, recently climbing to the top spot on the organization’s alert list. And while the first iterations of the worm were mainly an annoyance, later versions (designated by letters such as W32/Klez.H) can mangle files on your hard drive.
The Klez code is very clever and operates in several stages. While it infects only Windows systems, as you will see, the worm’s progress can be seen in the mailboxes of anyone, even Mac and Unix users.
First, the Klez program arrives on a system as an attachment to an e-mail message, although it can also spread its infection over the network.
When the worm’s attachment program is run, it installs its data in a hidden file on your hard drive. Klez has very sneaky ways to get you to run the attachment program — unlike older viruses and worms that used .EXE files, the attachment can sport any one of more than a dozen file name extensions, including the popular .HTM, .MP3 and MPEG. It can even disguise itself as an antivirus settings file.
Klez was described as "a form of social engineering," by John "Zeke" Brumage, president of Zeke’s General Store, a small Internet Service Provider based in Central, Ariz. He said the number of files discovered by antivirus software was climbing daily. "If it gets through to a mailbox, someone will click on it sooner or later."
On the other hand, you don’t even have to click on the attachment for Klez to load. It will take advantage of the automatic execution "feature" in Microsoft Outlook and Outlook Express, especially for several media types (and remember that the attachment arrives in disguise, such as an audio file).
In another amazing action, the worm scans your system and attacks antivirus software! Klez also knows how to hide itself from the taskbar thus avoiding detection.
To spread itself far afield, Klez gathers addresses from your Windows address book as well as from a variety of documents on the drive, such as Word and text files, and even saved HTML pages. These addresses could be from correspondence or inside work you’ve done for clients.
Or the addresses can be for online newsletters. Some folks have opened their mailboxes and found themselves subscribed to newsletters they never knew existed. Depending on the newsletter, this auto-subscribe "feature" can be an awkward experience. For example, I recently found myself subscribed to an Italian swingers newsletter (whoa!) as well as some duplicate subscriptions for computer lists I already belong to.
Finally, Klez uses its own SMTP engine to blast out these e-mail messages to the addresses it collected, inserting other addresses into the From line. The Subject line is filled in at random from a small dictionary of common words in the program, including "Undeliverable mail" and "Returned mail." It can also use text from your documents or mail. The worm even makes up a body text from another set of text snippets. And a copy of the worm accompanies each message.
The Fix Iz In
To combat Klez, it’s essential to make sure that you’re running the latest version of whatever antivirus software you’ve installed. Since the worm knows how to turn off the automatic routines of many antivirus programs, it’s useful to manually check your system for an infection.
There are also several patches for Microsoft Outlook and Internet Explorer:
- No patch is needed for those of you running Outlook 2000 with Service Release 1 or Outlook XP;
- For pre-SR1 Outlook 2000, install the Outlook E-mail Security Update, making sure to follow the page’s instructions carefully, since you might also need to install some other updates in a particular order;
- If you are running Version 5.01 or 5.5 of Internet Explorer Service Pack 1 then you should apply the Microsoft Security Bulletin MS01-027 patch (the actual download link is way at the bottom of the page);
- And finally, for users of Outlook 98, there’s the Outlook E-mail Security Update.
Microsoft offers an e-mail notification service for security alerts and patches, as well as a page devoted to security issues.
Zocial Engineering
As you can see, Klez is no ordinary infection. But you might ask: What is the big worry, aside from the usual destruction of files, inconvenience, and the way it can clog the veins of the Internet with junk?
For content creators, I suggest that Klez holds additional troubles: It possibly can erode our remote workflow and disrupt our relationship with our clients, suppliers, and partners.
Like you, I rely on Internet e-mail and attachments for my business. Although I admit to a fondness for the telephone, most of my communication with clients is via e-mail. In addition to the messages themselves, I send and receive important files, including invoices, images, and data. I place a lot of trust in that two-way communication.
With this worm, that trust is compromised. When I open my mailbox each new message holds a question mark. Is an e-mail message really from a client or was it sent from Klez? And if it’s the latter, is the attachment a graphics file that I should examine, or is it the Klez worm waiting to strike?
Worse, Klez sends its messages to anyone culled from your address book and documents. A message could appear to be from you or from someone else. Only Klez knows for sure.
In addition, Mac and Unix users shouldn’t be sanguine about Klez. In an odd twist, someone else’s infected machine could initiate an e-mail correspondence from you to a current client or a potential client. But you won’t know anything about it. It’s like a twisted branding episode of the Twilight Zone.
After reading this article, you may understand that an odd message out of the blue isn’t necessarily what it seems. But will the person on the receiving end of a similar message understand its Klez origin? Or perhaps a message addressed from you? And if a person receives an infected message, will they put the blame on you or some other party?
Given the current level of Klez awareness, the answers to those questions will hold no comfort for any of us. The answer is to defeat this worm with antiviral prevention.
Take your lead from Shalom ben Eleazar, who said: "The worst bondage is exile from peace of mind." Content creators should take an active role to prevent Klez infections on their machines and urge clients and friends to do the same.
Read more by David Morgenstern.
This article was last modified on January 18, 2023
This article was first published on May 23, 2002
Commenting is easier and faster when you're logged in!
