A tale of two Klezes

It's D-Day for the pesky virus. Yet as one variant of Klez rapidly disappears, another keeps on going strong. Have you been hit?

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
2 min read
Two variants of the mass-mailing Klez virus are rocketing toward completely different fates as of Friday.

The Klez.H variant continues to have a strong presence on the Internet, while Klez.E--which launched a file-deleting attack Friday--has quickly died off, seemingly because its malicious activity has alerted PC users to its presence.

On Friday, e-mail service provider MessageLabs said it had intercepted about 16,000 e-mail messages carrying the Klez.H virus in a 24-hour period, while Klez.E-laden e-mail had fallen by more than 50 percent from the day before to a measly 160 messages.

From the decreasing numbers, it seems that "people are cleaning their computers and getting (Klez.E) off," said Angela Hauge, technical director for MessageLabs.

On average, MessageLabs intercepted 500 e-mail messages infected with Klez.E per day in the month of August. After its latest trigger date, however, the mass-mailing virus may have essentially killed itself off. The virus is programmed to launch attacks on the 6th of March, May, September and November, destroying 14 different file types on infected systems, including Word documents and HTML files.

Hauge had little hope that the Klez.H variant would similarly die out anytime soon, as it doesn't carry a malicious payload that could tip off PC users to its presence on their systems.

Klez.H doesn't overwrite files, but it may randomly choose a document from a victimized computer and attach it to the e-mails it sends out to spread itself. In addition, Klez.H spoofs the sender's address to make it look like a random person from the infected PC's address book is actually sending the virus-laden mail. This makes it harder to pinpoint an infected system and can lead to a muddle when people without the pest are told they have it.

MessageLabs has seen almost 2.7 million e-mail messages carrying Klez.H since the virus was first detected on the Internet on April 15 of this year.

Security software firm Symantec confirmed that Klez.H remained steady, with 8,000 submissions of the virus this week from customers whose antivirus software had captured the digital critter trying to get onto a PC. Klez.E, meanwhile, had fallen to 5 percent of that, or 400 submissions for the week.

Vincent Weafer, director of Symantec's security response group, said no customers had reported file corruption by Klez.E on Friday.