The latest variant of the Klez worm sometimes chooses to hitch a ride
on sensitive documents, resulting in victims' confidential information
spreading with the malicious program, Russian antivirus firm Kaspersky
Labs said Friday.
Known as Klez.g, Klez.h and Klez.k, depending on the security advisory,
the newest incarnation has spread worldwide, sending itself in e-mail messages with infected documents attached.
Occasionally the documents contain sensitive material, said an advisory from Kaspersky Labs.
"Klez.h poses a special threat: The worm scans the disks of an infected
computer and, depending on a set of conditions, attaches a file to each
infected e-mail it distributes," stated the advisory.
Text, HTML (Hypertext Markup Language), Adobe Acrobat and Excel files are included in the types of
documents that the virus can forward, but other files that the worm could attach--such as JPEG and MPEG files--are less likely to contain important information.
Representatives of Kaspersky Labs were not available for comment.
This is not the first time a virus has leaked information, however. The SirCam worm, which is still
spreading among computers on the Internet, also attached itself to
documents and forwarded on the infected files to potential victims.
Security-software maker Symantec upgraded on Wednesday the latest
variant, which it labeled W32.Klez.h, to a threat level of three from a previous rating of two. The company categorizes threats on a scale of
one, the lowest threat, to five.
However, Vincent Weafer, senior director of Symantec's
Security Response team, on Friday said they haven't been able to reproduce the information-leaking function of the worm that Kaspersky Labs is claiming.
"It is nothing that we have seen in our lab," he said. "It definitely data mines files for e-mail addresses, but we haven't seen it attach files. We will keep doing some additional testing in this area."
E-mail security firm MessageLabs said the Klez.h worm had proliferated "dramatically" during the day Friday.
MessageLabs, based in the United Kingdom, first detected the new variant on
Monday from an Internet address in China. Most antivirus vendors, such as Symantec, McAfee and Sophos, have offered Klez.h patches since Wednesday.
MessageLabs said it stopped two copies of Klez variants on Monday. Since
Wednesday afternoon the number of copies rose sharply, gathering pace
on Friday. The firm said it stopped several thousand copies on Friday,
for a total of more than 46,000 copies by Friday afternoon--or nearly one in
every 77 e-mails. The United Kingdom topped its list with more than 5,000 copies
stopped, followed by Hong Kong and the United States.
The worm arrives in an e-mail message with one of 120 possible subject lines.
In many circumstances, the worm doesn't need the victim to open it in order to run. Instead, it takes advantage of a 12-month-old
vulnerability in Microsoft Outlook, known as the Automatic Execution of Embedded MIME Type bug, to open itself automatically on un-patched versions of Outlook.
The program will also cull e-mail addresses by searching a host of
different file types on the infected PC. Using its own mail program, the
worm will send itself off to those e-mail addresses. In addition, it
will use the addresses to create a fake "From:" field in the e-mail
message, disguising the actual source of the e-mail.
The worm also attempts to disable antivirus software by deleting registry keys, stopping running processes and removing virus-definition files.
Finally, the worm drops a second virus on the computer and spreads to other disk drives connected to the PC over an internal network.
Matthew Broersma of ZDNet UK contributed to this report.