The worm arrives in an email message with one of 120 possible subject lines. There are 18 different standard subject headings, including "let's be friends", "meeting notice", "some questions", and "honey". On top of those, seven other patterns exist, such as "a x game" and "a x patch", where x can be one of 16 different words, including "new", "WinXP", and the name of any of six major antivirus companies. In many circumstances, the worm doesn't need the victim to open it in order to run. Instead, it takes advantage of a 12-month-old vulnerability in Microsoft Outlook, known as the Automatic Execution of Embedded MIME Type bug, to open itself automatically on unpatched versions of Outlook. The malicious program will find any network storage available on the infected PC and copy itself to the remote disk drives using a random file name and a .EXE, .PIF, .COM, .BAT, .SCR or .RAR extension. Occasionally, the file name will include a double extension. The program will also cull email addresses by searching a host of different file types on the infected PC. Using its own mail program, the worm will send itself off to those email addresses. In addition, it will use the addresses to create a fake "From:" field in the email message, disguising the actual source of the email. Finally, the worm attempts to disable antivirus software by deleting registry keys, stopping running processes and removing virus-definition files. Clues in the code
The worm also sports a message in its code from the author, who brags that it only took three weeks to create the malicious program. The author claims the virus originated in Asia and may have bugs because of how fast he created it. MessageLabs' own data points to China as the source of the first emails containing the worm. By 1900 GMT on Wednesday, major antivirus vendors had updated their virus definitions to recognise the newest Klez variant. However, in most cases, users will have to initiate an update to download the newest definitions and be protected.
For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Viruses and Hacking News Section.
Have your say instantly, and see what others have said. Go to the Security forum.
Let the editors know what you think in the Mailroom.
