A variant of an already well-known Windows worm has resurfaced and is spreading rapidly through the Internet using the iFRAME vulnerability in Internet Explorer.
The worm, known as Klez.H, is a revamped version of the three-month-old Klez.E worm which is in turn traced back to a mass mailing worm first spotted last year.
Symantec's Security Response site already lists the worm as the number one virus threat globally, displacing, at least for now, the Badtrans worm that appeared late last year.
Variants of the Klez worm are initially transmitted using one of many random subject lines. Once installed, the worm is capable of spreading itself within local networks by copying itself to shared computer drives. The Klez worm also carries a variant of a second virus known as ElKern which it installs on infected computers.
The previous version of the Klez worm had a payload that was activated on the 13th day of even-numbered months when it would destroy files on the infected computers. Symantec's Security Response team reported that the new incarnation of the worm doesn't destroy other files but rather replaces legitimate executable files with its own code, ensuring that it can be launched again. The original legitimate programs are copied to files with new random file extensions and properties that hide them from normal directory displays.
Kaspersky Lab reports that to gain entry to a computer, the worm exploits a vulnerability in the Internet Explorer security system. Using this vulnerability, the worm is able to infect the machine as soon as the e-mail is read, even if it is not opened but only viewed in the preview pane.
Most anti-virus vendors say their software can spot all versions of Klez, but the worm's ability to disable some anti-virus software can make it difficult to clean up once it is installed on a computer.
Share
