A month after it started spreading, the Klez.h worm isn't slowing down,said antivirus experts on Friday. Moreover, the worm's technique offorging the address of the sender on each infected e-mail message iscreating a flood of warnings from gateway antivirus software informing the wrong people that they are infected.
"A lot of traffic is being multiplied by the response mechanisms andrefusal mechanisms," said Fred Cohen, security practitioner in residenceat the University of New Haven.
In many cases, antivirussoftware protecting a company's e-mail gateways is sending out aresponse to each infected e-mail inadvertently sent out by a victim--but that warning is going to the wrong person. "So, in effect, you're getting twicethe fun you would normally get," Cohen said.
Apart from magnifying the amount of spam produced by the virus, the incorrect identification of those who are infected is also responsible forhindering efforts to fight the spread of the worm, said Cohen.
Faked addresses
The Klez.h variant, which appearedin mid-April, infects PCs whose users open the attachment to an infectede-mail. Confusing matters, the e-mail will have a random "from" address,selected from various sources on the original victim's hard drive. Andit pairs this bogus sender's address with one of more than 120 different subject lines.
When a user opens the attachment, the virus starts up its own e-mailengine and mass mails itself to e-mail addresses found in variousfiles on the PC, using a source address culled from those addresses.Klez.h can also send out a random file from the PC as an attachment,along with the e-mail that carries the worm, potentially passing confidential information.
In some instances, the worm also drops one of several other viruses, including the destructive CIH, andtries to remove any active antivirus software from the system.
Overall, the Klez.h variant has been extremely successful.
"The spread has been really steady," said John Harrington, director of U.S. marketing for e-mail service provider MessageLabs. "We've seen 20,000 again today (Friday), and there's no indication that this is dying down."
While the worm has not spread as quickly as, say, the LoveLetter virus?of which MessageLabs received one copy for every 23 legitimate e-mailsduring the virus' peak in May 2000--it does make up one out of nearlyevery 170 e-mails, Harrington said.
In fact, the steady spread--rather than a firestorm of e-mails?may actually be part of the reason for the worm's success, said Harrington.The Klez.h variant did manage to top the charts of computer viruses in April.
"It kind of cruises below the radar screen," Harrington said. "Everyone had heard of LoveLetter. But if you go into a computer shop and ask people if they've heard of Klez, they'll shake their heads."
Hard to track
The Klez variant's ability to spoof the source of infected e-mail makesit nearly impossible to track down the infected users who sent thevirus.
"The whole spoofing thing adds a dimension to it that is a littledifferent," said Vincent Gullotto, vice president of Network Associates'antivirus emergency response team. "It's definitely possible that thefalse addresses are slowing response."
Network Associates still receives more than 50 reports a day of the wormfrom customers, and some corporate clients are seeing more than 20,000messages carrying the virus at their e-mail gateways.
The response to Klez--that uninfected users are being told they sent avirus--shows the holes in the system, added Gullotto.
In addition, some out-of-the-office auto-reply mechanisms may be goinghaywire as a result of an infected user sending an e-mail with a randomsource and receiver who are both away.
"I am sure there are some auto-reply wars that have been going on,"Gullotto said. "There has been a lot of mail that is going around thatis caused by this."
Until system administrators disable antivirus notification on thee-mail gateway servers, the confusion will only continue.