Worm set for file-eating binge
Security experts warn of possible widespread damage to PC files when the destructive Klez.e worm activates Wednesday.
The new variant on the Klez worm went into circulation last month and quickly became one of the fastest-spreading worms on the Internet.
To date, the worm has done little more than propagate itself by sending out infected e-mail messages. That will change with the date on Wednesday, however, as the worm activates its destructive payload and destroys numerous types of files on infected PCs, said Steven Sundermeier, product manager for antivirus-software maker Central Command.
The worm attacks common file types for text documents, spreadsheets, graphics and other files on infected PCs.
"It will overwrite those files with garbage data," Sundermeier said, a method that makes it difficult to recover lost information. "It pretty much destroys the files."
The worm is set to deliver its payload on the sixth day of odd-numbered months, making this the first time the worm will show its destructive power. On the sixth day of January and July, the worm gets even nastier and deletes all files on infected PCs.
Security experts are casting Klez.e as a serious threat because it has spread so widely over the past month. E-mail screening firm Message Labs ranked the worm as the third most active bug in February, intercepting it from more than 21,000 infected messages.
Central Command had it ranked No. 1, responsible for more than a third of all infected e-mails encountered in the past two weeks.
The initially benign nature of the worm may also mean that many of those with infected PCs aren't aware it's there.
"All it does at first is go ahead and collect e-mail addresses (from the infected PC) and send unsolicited e-mail messages with the worm," Sundermeier said. "So unless someone notifies the user they got one of those messages, it will lie dormant."
Klez.e arrives in an e-mail message with a subject line generated from a list of more than 20 keywords. The body of the message is either empty or filled with random text.
The worm attempts to activate itself automatically by exploiting a flaw in Microsoft's Outlook e-mail program. A patch for the vulnerability is available from Microsoft.
Once activated, the worm creates a file in the Windows directory of the infected PC with a name that begins with "wink" followed by a string of random characters and ending in the extension ".exe."
PC users can do a search for the "wink" file, run up-to-date antivirus software, or use a free detection and removal tool from software maker Kaspersky Labs.