W32/Klez.H@mm, the latest mass-mailing computer virus sometimes tries to trick users into launching it by saying it is a cure for an earlier variant of the same virus. The virus emails itself to addresses found in the Windows address book, the ICQ database, and local files, using another such address as the From: field. Thus, when you receive W32/Klez.H, the apparent sender may not be infected. The SMTP envelope From: address (usually seen in the headers as the Return-path:) will probably give a more accurate indication of the source.
However, it may not need the users' assistance to spread: it uses a known vulnerability in Internet Explorer-based email clients in order to execute automatically. The vulnerability is known as Automatic Execution of Embedded MIME type and all users of Microsoft email clients should make sure they have the relevant patch installed, see Microsoft Security Bulletin MS01-20
It is also capable of spreading across a LAN by copying itself to shared drives or folders. This can make it difficult to eradicate in large networks with few internal controls.
Some anti-virus products are able to detect the new variant because of its' similarity with previous variants: Sophos Anti-Virus detect it with their 7 February definition file for W32/Klez.G and McAfee detect it as W32/Klez.gen@mm with their 23 January definition file (4182 DATs).
MessageLabs first stopped W32/Klez.K-mm in an email from China on 15th April, but did not see another copy until 17th April. To date, they have seen the most copies from the UK, with Hong Kong in third place, only marginally behind the USA. Given the relative size of these places, this indicates a distressingly high prevalence in Hong Kong.
Allan Dyer, Chief Consultant of Yui Kee Computing, commented, "Outbreaks like this are becoming commoner and the ability of organisations to cope with them depend on good user education, preparation of their defences and incident response planning." A good starting point for user education are the Safe Hex Guidelines.
