Survey: Klez worm tops SirCam, Nimda

The latest fast-spreading versions of the worm have so far infected more than 7 percent of PCs worldwide, surpassing totals chalked up by previous threats such as SirCam and Nimda.

David Becker Staff Writer, CNET News.com
David Becker
covers games and gadgets.
David Becker
2 min read
The latest fast-spreading versions of the Klez worm have so far infected more than 7 percent of PCs worldwide, surpassing totals chalked up by previous threats such as SirCam and Nimda, according to a new survey by an antivirus company.

Panda Software scanned more than 2,000 PCs around the world and found that 7.2 percent had the H or I versions of the Klez worm, said Patrick Hinojosa, chief technical officer for the Glendale, Calif.-based company.

Considering that the H and I versions of Klez have been in the wild for only a few weeks, that's an alarmingly fast spread, said Hinojosa.

"I was pretty surprised at the percentage," he said. "This thing started slowly, but it's proliferating at a tremendous rate now."

The Klez.h worm began spreading about two weeks ago and quickly became the top pest on the Internet. As of midday Monday, e-mail screening company MessageLabs had intercepted 16,700 copies of Klez.h in the past 24 hours, making it by far the busiest bug.

The Klez.i worm is a slight variation on Klez.h that also infects PCs with the Elkern.d virus, which antivirus company Trend Micro ranked as the most active virus Monday.

While neither of the Klez worms is particularly destructive, they pose a security threat by sharing files plucked from infected PCs as they spread.

Steve Trilling, director of antivirus software maker Symantec's security response team, said the Klez worm's use of its own e-mail engine and its unpredictable variation of e-mail subject lines helped the virus spread.

"Whenever we see these threats, it's always a combination of technical and human factors that they feed on," Trilling said. "The human factor is: Does it start inside a company that doesn't have good antivirus protection in place, so it can grab a number of e-mail addresses at the start?"

Hinojosa said Klez.h has also been effective in spreading confusion because it "spoofs" e-mail addresses as it propagates, making it look like an infected message came from a familiar address--one randomly grabbed from an Outlook address book. An infected message can look like it came from a legitimate source, and replies can accuse unaffected PCs of being infected.

"Just watching our traffic here, I've seen several messages supposedly from our tech support that were generated by Klez," Hinojosa said. "I think that contributed to people opening a lot of e-mails that they wouldn't otherwise open, because it looks like it's from somebody legitimate."

Recommendations include running updated antivirus software, making sure the proper security patches are installed for Microsoft Outlook and running a standalone virus checker, such as Symantec's downloadable Klez removal tool.