From Mary Landesman,
Your Guide to Antivirus Software.
FREE Newsletter. Sign Up Now!

While any virus can be problematic, either deliberately or unintentionally, the latest Klez variants use a variety of insidious tactics designed to give even the most patient a massive headache.

Klez not only has a penchant for lifting legitimate user files from the system and sending them out with the infected mail - thereby potentially compromising sensitive data - it can also spoof the From address on the email, making it appear the virus is being sent from a completely innocent and uninfected person.

One reader reports having received 9 different Klez emails in a single night, all with different From addresses. Only a careful examination of the email headers revealed the sender's true identity. Others report receiving bounced messages from various ISP's, informing them that a message they sent was rejected due to its carrying the Klez virus. The problem, of course, is that these individuals never sent the message nor did it originate from their machine. The virus had simply found their email address on the infected user's machine and inserted it in the From field.

Paul Schmehl, Supervisor of Support Services at the University of Texas at Dallas, finds the Klez spoofing has created a support burden they don't normally encounter. Paul notes, "Because the Klez virus forges the From: address, it has created quite a stir on our campus. We don't normally see many infections here, so our users aren't accustomed to receiving the automatic notifications that come with a virus infection. Now they're calling our Help Desk and deluging me with email wanting to know how they got infected. It seems the cure is almost worse than the disease.".

The volume of email spawned by a Klez infection is also dramatic. Vincent Weafer, senior director of Symantec Corp.'s security response center, cautions that the Klez worm, "will send itself a few at a time and it will send itself again after rebooting the machine, in other words, every time the worm is executed it will e-mail itself." Thus, not only are innocent persons being accused of spreading the worm, chances are they will be victimized by this spoofing over and over again.

This also poses a dilemma for folks who try to email those from whom they've received a virus. Typically, it's a simple matter of clicking reply and typing in a brief note letting the person know they are infected and providing links for assistance. With Klez, hitting reply won't work - the sender may not be the one in the From field. Instead, view the source of the message and double check the sender in the header itself. For example, in Outlook Express, source and headers can be viewed by right-clicking the message, choosing properties, and then clicking the Details tab.

Other tricks up Klez's sleeve, besides confidentiality breaches and spoofing, include masquerading as a fix for a previous Klez variant, exploiting a vulnerability that allows the attachment to be automatically executed when the email is read, and using a doube extension ruse to fool users into thinking the attachment is a benign file type. The Klez Help Center provides further information on Klez, including how to protect against it and where to get free removal tools.