Known as Klez.g, Klez.h and Klez.k, depending on the security advisory,the newest incarnation has spread worldwide, sending itself in e-mail messages with infected documents attached.
Occasionally the documents contain sensitive material, said an advisory from Kaspersky Labs.
"Klez.h poses a special threat: The worm scans the disks of an infectedcomputer and, depending on a set of conditions, attaches a file to eachinfected e-mail it distributes," stated the advisory.
Text, HTML (Hypertext Markup Language), Adobe Acrobat and Excel files are included in the types ofdocuments that the virus can forward, but other files that the worm could attach--such as JPEG and MPEG files--are less likely to contain important information.
Representatives of Kaspersky Labs were not available for comment.
This is not the first time a virus has leaked information, however. The SirCam worm, which is stillspreading among computers on the Internet, also attached itself todocuments and forwarded on the infected files to potential victims.
Security-software maker Symantec upgraded on Wednesday the latestvariant, which it labeled W32.Klez.h, to a threat level of three from a previous rating of two. The company categorizes threats on a scale ofone, the lowest threat, to five.
However, Vincent Weafer, senior director of Symantec'sSecurity Response team, on Friday said they haven't been able to reproduce the information-leaking function of the worm that Kaspersky Labs is claiming.
"It is nothing that we have seen in our lab," he said. "It definitely data mines files for e-mail addresses, but we haven't seen it attach files. We will keep doing some additional testing in this area."
E-mail security firm MessageLabs said the Klez.h worm had proliferated "dramatically" during the day Friday.
MessageLabs, based in the United Kingdom, first detected the new variant onMonday from an Internet address in China. Most antivirus vendors, such as Symantec, McAfee and Sophos, have offered Klez.h patches since Wednesday.
MessageLabs said it stopped two copies of Klez variants on Monday. SinceWednesday afternoon the number of copies rose sharply, gathering paceon Friday. The firm said it stopped several thousand copies on Friday,for a total of more than 46,000 copies by Friday afternoon--or nearly one inevery 77 e-mails. The United Kingdom topped its list with more than 5,000 copiesstopped, followed by Hong Kong and the United States.
The worm arrives in an e-mail message with one of 120 possible subject lines.
In many circumstances, the worm doesn't need the victim to open it in order to run. Instead, it takes advantage of a 12-month-oldvulnerability in Microsoft Outlook, known as the Automatic Execution of Embedded MIME Type bug, to open itself automatically on un-patched versions of Outlook.
The program will also cull e-mail addresses by searching a host ofdifferent file types on the infected PC. Using its own mail program, theworm will send itself off to those e-mail addresses. In addition, itwill use the addresses to create a fake "From:" field in the e-mailmessage, disguising the actual source of the e-mail.
The worm also attempts to disable antivirus software by deleting registry keys, stopping running processes and removing virus-definition files.
Finally, the worm drops a second virus on the computer and spreads to other disk drives connected to the PC over an internal network.
Matthew Broersma of ZDNet UK contributed to this report.