First published: 18th April 2002
The latest mass-mailing computer virus sometimes tries to trick users into launching it by saying it is a cure for an earlier variant of the same virus. The virus, variously called W32/Klez.H or W32/Klez.K by anti-virus developers, emails itself to addresses found in the Windows address book, the ICQ database, and local files.
However, it may not need the users' assistance to spread: it uses a known vulnerability in Internet Explorer-based email clients in order to execute automatically. The vulnerability is known as Automatic Execution of Embedded MIME type and all users of Microsoft email clients should make sure they have the relevant patch installed, see the Microsoft Security Bulletin MS01-20
It is also capable of spreading across a LAN by copying itself to shared drives or folders. This can make it difficult to eradicate in large networks with few internal controls.
Some anti-virus products are able to detect the new variant because of its' similarity with previous variants: Sophos Anti-Virus detect it with their 7 February definition file for W32/Klez.G and McAfee detect it as W32/Klez.gen@mm with their 23 January definition file (4182 DATs).
MessageLabs first stopped W32/Klez.K-mm in an email from China on 15th April. The top three places they have seen it from are Taiwan, Hong Kong and Denmark.
The discrepancies in names between different anti-virus developers are not uncommon when the need to release urgent alert information outstrips the co-ordination between research teams. A consensus will probably be reached later.
Allan Dyer, Chief Consultant of Yui Kee Computing, commented, "Outbreaks like this are becoming commoner and the ability of organisations to cope with them depend on good user education, preparation of their defences and incident response planning." A good starting point for user education are the Safe Hex Guidelines