*** From the Archives ***
This article is from May 23, 2002, and is no longer current.
Under the Desktop: What’s Klez and Why Is It After Me?
As card-carrying members of the caste of information workers, creative professionals rely heavily on e-mail services. A steady stream of messages is necessary for the everyday functioning of our business. So something that could disrupt that flow, might give us pause, right?
My concern of the moment is the W32/Klez worm and its many variants, one that keeps gaining in virulence and reach. Still, after taking a small, ad hoc poll, I found almost no content creator was aware of the worm, understood its actions and its potential for mischief.
Klez 101
According to the Internet’s virus watchdog agency, the CERT Coordination Center, the Klez worm has gained momentum over the past half a year, recently climbing to the top spot on the organization’s alert list. And while the first iterations of the worm were mainly an annoyance, later versions (designated by letters such as W32/Klez.H) can mangle files on your hard drive.
The Klez code is very clever and operates in several stages. While it infects only Windows systems, as you will see, the worm’s progress can be seen in the mailboxes of anyone, even Mac and Unix users.
First, the Klez program arrives on a system as an attachment to an e-mail message, although it can also spread its infection over the network.
When the worm’s attachment program is run, it installs its data in a hidden file on your hard drive. Klez has very sneaky ways to get you to run the attachment program — unlike older viruses and worms that used .EXE files, the attachment can sport any one of more than a dozen file name extensions, including the popular .HTM, .MP3 and MPEG. It can even disguise itself as an antivirus settings file.
Klez was described as "a form of social engineering," by John "Zeke" Brumage, president of Zeke’s General Store, a small Internet Service Provider based in Central, Ariz. He said the number of files discovered by antivirus software was climbing daily. "If it gets through to a mailbox, someone will click on it sooner or later."
On the other hand, you don’t even have to click on the attachment for Klez to load. It will take advantage of the automatic execution "feature" in Microsoft Outlook and Outlook Express, especially for several media types (and remember that the attachment arrives in disguise, such as an audio file).
In another amazing action, the worm scans your system and attacks antivirus software! Klez also knows how to hide itself from the taskbar thus avoiding detection.
To spread itself far afield, Klez gathers addresses from your Windows address book as well as from a variety of documents on the drive, such as Word and text files, and even saved HTML pages. These addresses could be from correspondence or inside work you’ve done for clients.
Or the addresses can be for online newsletters. Some folks have opened their mailboxes and found themselves subscribed to newsletters they never knew existed. Depending on the newsletter, this auto-subscribe "feature" can be an awkward experience. For example, I recently found myself subscribed to an Italian swingers newsletter (whoa!) as well as some duplicate subscriptions for computer lists I already belong to.
Finally, Klez uses its own SMTP engine to blast out these e-mail messages to the addresses it collected, inserting other addresses into the From line. The Subject line is filled in at random from a small dictionary of common words in the program, including "Undeliverable mail" and "Returned mail." It can also use text from your documents or mail. The worm even makes up a body text from another set of text snippets. And a copy of the worm accompanies each message.
The Fix Iz In
To combat Klez, it’s essential to make sure that you’re running the latest version of whatever antivirus software you’ve installed. Since the worm knows how to turn off the automatic routines of many antivirus programs, it’s useful to manually check your system for an infection.
There are also several patches for Microsoft Outlook and Internet Explorer:
- No patch is needed for those of you running Outlook 2000 with Service Release 1 or Outlook XP;
- For pre-SR1 Outlook 2000, install the Outlook E-mail Security Update, making sure to follow the page’s instructions carefully, since you might also need to install some other updates in a particular order;
- If you are running Version 5.01 or 5.5 of Internet Explorer Service Pack 1 then you should apply the Microsoft Security Bulletin MS01-027 patch (the actual download link is way at the bottom of the page);
- And finally, for users of Outlook 98, there’s the Outlook E-mail Security Update.
Microsoft offers an e-mail notification service for security alerts and patches, as well as a page devoted to security issues.
Zocial Engineering
As you can see, Klez is no ordinary infection. But you might ask: What is the big worry, aside from the usual destruction of files, inconvenience, and the way it can clog the veins of the Internet with junk?
For content creators, I suggest that Klez holds additional troubles: It possibly can erode our remote workflow and disrupt our relationship with our clients, suppliers, and partners.
Like you, I rely on Internet e-mail and attachments for my business. Although I admit to a fondness for the telephone, most of my communication with clients is via e-mail. In addition to the messages themselves, I send and receive important files, including invoices, images, and data. I place a lot of trust in that two-way communication.
With this worm, that trust is compromised. When I open my mailbox each new message holds a question mark. Is an e-mail message really from a client or was it sent from Klez? And if it’s the latter, is the attachment a graphics file that I should examine, or is it the Klez worm waiting to strike?
Worse, Klez sends its messages to anyone culled from your address book and documents. A message could appear to be from you or from someone else. Only Klez knows for sure.
In addition, Mac and Unix users shouldn’t be sanguine about Klez. In an odd twist, someone else’s infected machine could initiate an e-mail correspondence from you to a current client or a potential client. But you won’t know anything about it. It’s like a twisted branding episode of the Twilight Zone.
After reading this article, you may understand that an odd message out of the blue isn’t necessarily what it seems. But will the person on the receiving end of a similar message understand its Klez origin? Or perhaps a message addressed from you? And if a person receives an infected message, will they put the blame on you or some other party?
Given the current level of Klez awareness, the answers to those questions will hold no comfort for any of us. The answer is to defeat this worm with antiviral prevention.
Take your lead from Shalom ben Eleazar, who said: "The worst bondage is exile from peace of mind." Content creators should take an active role to prevent Klez infections on their machines and urge clients and friends to do the same.
Read more by David Morgenstern.
 |
I notice a news story on viruses from MacCentral titled “Mac Virus Susceptibility Questioned,” at /wp-content/uploads/sites/default/files/story_images/news/16703.html
Here are the opening paragraphs:
“It’s been a long-standing belief of many Mac proponents that their platform is inherently less susceptible to viruses that Windows. That’s a myth, according to an article recently published by Computing entitled Experts explode ‘Mac is safer’ myth.
Writer James Middleton’s sole source for this refutation is a spokesperson for Symantec Corp., which makes anti-virus software for the Macintosh. Symantec also alleges that 62 percent of Mac users have migrated to the platform because of the perception of increased security, according to Middleton’s report. “In the past even the US Army has moved its web servers over to Mac OS in the mistaken belief that they will be more secure,” wrote Middleton. “
I question much if not all of this. Certainly there are plenty of other good reasons to choose a Mac and that figure has the scent of statistical or polling voodoo.
Regardless, the Mac isn’t safer on the virus front because of some technological advantage. However, it is *effectively* safer because few Mac programmers write viruses aimed at the platform AND because almost 100 percent of all viruses in the world are written for the Windows platform and don’t work on the Mac.
For the user, the result is the same.
daviD M.
Klez is indeed a nasty scourge. It might be wise, however, to offer some practical advice (in addition to applying Microsoft’s patches and upgrading anti-virus apps) to help dampen its spread. Here are some things I have been getting my coworkers to do:
–Email software should be set to hide the ‘preview’ pane. With Mozilla/Netscape this can be accomplished with a single mouse click, but in Outlook Express and its cousins the Layout settings have to be changed. Doing so will prevent suspect messages from being inadvertantly opened. Messages that the user wishes to open simply need to be double-clicked and they will appear in a new window.
–In the email application’s list view the ‘message size’ column should be displayed. Klez-infected messages are always around 110 to 150 kb in size, making this piece of information an important warning flag.
–Finally, displaying the source of a suspect message is a good (and safe) way of making a final check, as the source can be viewed without actually ‘opening’ the message. Command-u on recent Mac (control-u on Windows) versions of Mozilla/Netscape will bring this up; in Outlook Express you have to bring up the message’s properties and then click on the source button. Klez messages have little to no actual body text followed by a long block of attached virus code, and are hence fairly easy to spot this way.
Best o’ luck.