Klez attack may wipe out attacker
A minor variant of the virus is set to go into action Friday, erasing a host of files on infected hard drives. But the maneuver may backfire.
The 8-month-old mass-mailing computer virus called Klez.E triggers its payload on the sixth day of March, May, September and November, erasing 14 different types of files, including Word documents and HTML files.
But the variant has all but disappeared from the Internet, said Vincent Gullotto, director of the antivirus emergency response team at security company Network Associates, and the year's two remaining payloads should call attention to the few computers still infected with Klez.E, allowing the pest to be exterminated.
The Klez.E variant runs a distant second to its far more prevalent Klez.H cousin, making up only 3 percent of the junk e-mail associated with the Klez virus. Klez.H accounts for the other 97 percent.
Data from e-mail services provider MessageLabs shows that in August, the company intercepted 580,000 e-mails carrying the prolific Klez.H variant but only 16,000 carrying Klez.E. On Thursday, the minor Klez variant was present in only 338 infected e-mails in the last 24 hours.
Klez.E arrives in e-mail and uses an old flaw in Microsoft Internet Explorer to execute automatically. On infected PCs, the computer virus activates a malicious payload and overwrites any file accessible to it--both local and on the network-- of the following types: .txt, .htm, .html, .wab, .doc, .xls, .jpg, .cpp, .c, .pas, .mpg, .mpeg, .bak and .mp3.
Klez.H doesn't overwrite files, but it may randomly choose a document from a victimized computer and attach it to the e-mails it sends out to spread itself. In addition, Klez.H spoofs the sender's address to make it look like a random person from the infected PC's address book is actually sending the virus-laden mail. This makes it harder to pinpoint an infected system and can lead to a muddle when people without the pest are told they have it.