Klez.H 'spoofing worm' infects one in 170 emails

1.15pm

LONDON - It's official. Klez is the most virulent e-mail virus of all time, infecting one in every 170 emails that have been scanned.

For close to a year, SirCam was the virus most likely to turn up in your email box. But representatives from a half-dozen antivirus firms now believe that "Klez.H" is the most pervasive e-mail virus in cyberhistory, estimating that it has infected hundreds of thousands of computers within hours of first being spotted in mid-April. And so far, Klez has shown no signs of going away.

Klez is a mass-mailing worm that searches Windows address books for e-mail addresses and sends messages to all recipients that it finds.

Klez uses a technique known as "spoofing." The worm exploits a vulnerability in Microsoft Outlook and Outlook Express and randomly selects an address that it finds on an infected computer. It uses this address as the "FROM" address that it uses when it performs its mass-mailing routine.

More interesting than Klez's ability to entice vast numbers of users to open its infected e-mailed attachments is how the virus -- which is neither particularly clever nor cutting edge -- managed to turn some antiviral applications into spam-generating machines.

In many cases, network antiviral (AV) software filters are set to automatically respond to any incoming virus-infected messages with an e-mailed warning to the sender that a virus was detected in the received e-mail.

Klez's trick of spoofing senders' addresses resulted in floods of those warnings going out to the wrong people: people who did not send the virus and whose machines are not infected.

Rob Rosenberger of virus-information site Vmyths said that Klez simply points out a problem that he has been ranting about for years. "Warnings about viruses always equal the havoc created by the virus itself," Rosenberger said. "There's the flood of well-intentioned alerts from people, and then there's the automated alerts from antiviral applications. These alerts clog networks and inboxes in the exact same manner as most viruses do. I've yet to see any proof that alerts actually help solve the problem."

Some users were frustrated to discover that despite receiving alerts from trusted AV firms, their machines didn't actually harbour the Klez virus.

"I've spent several days trying to figure out how to rid my computer of Klez, after receiving several emails from Norton Antivirus applications warning me that Klez had been detected in emails that I had supposedly sent," New York graphics artist Sid Rubin said. "I can't believe I wasted all this time over nothing."

Trend Micro virus information centre

McAfee virus information library

Symantec security updates