Virus Report @ The Gl@zine

KLEZ IS THE NO.1 VIRUS

- but it's just an annoying pest

Although KLEZ (or more accurately W32.Klez.A@mm) is more of a nuisance than a serious threat to the data on your computer, it has become the most prolific of all viruses and for this reason has caused a certain amount of panic. Also, the way in which it operates can give people the impression that the virus exists on their computer when it doesn't.

Dangerous or not, this virus is not going to go away in a hurry, so it may be a good idea for you to read the below information.

As with all viruses, the best place to start looking for information is the Symantec website:
http://securityresponse.symantec.com/avcenter

If you get a Virus Warning from a friend or colleague, remember that most are hoaxes, Check out whether or not it is a hoax at:
http://securityresponse.symantec.com/avcenter/hoax.html

W32.Klez.A@mm is a mass-mailing email worm which exploits a vulnerability in Windows versions of Microsoft Outlook and Outlook Express. It is a Windows-specific worm/virus and cannot infect a Macintosh.
http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.a@mm.html

NOTE: If someone with a PC is infected with Klez and has your email address on their computer, Klez can grab your email address and use it as the sender when it emails the virus to the rest of the collected addresses. This is called spoofing, and makes it appear as if you have the virus when you really do not.

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices"

Two recent articles by Michelle Delio at Wired.com explain the Klez virus in more detail:

It's official. Klez is the most virulent e-mail virus of all time.

For close to a year, SirCam was the virus most likely to turn up in your e-mail box. But representatives from a half-dozen antivirus firms now believe that "Klez.H" is the most pervasive e-mail virus in cyberhistory, estimating that it has infected hundreds of thousands of computers within hours of first being spotted in mid-April.

And so far, Klez has shown no signs of going away.

More interesting than Klez's ability to entice vast numbers of users to open its infected e-mailed attachments is how the virus -- which is neither particularly clever nor cutting edge -- managed to turn some antiviral applications into spam-generating machines.

In many cases, network antiviral (AV) software filters are set to automatically respond to any incoming virus-infected messages with an e-mailed warning to the sender that a virus was detected in the received e-mail.

Klez's trick of spoofing senders' addresses resulted in floods of those warnings going out to the wrong people: people who did not send the virus and whose machines are not infected.
Many antiviral experts have been calling for all AV companies to advise their users to temporarily disable the auto-alert systems.

Other well-known viruses like Love Letter proliferated at a faster rate than Klez when they were first released; on April 5, 2000, one in every 24 e-mails scanned by Messagelabs contained a copy of the Love Bug virus, whereas only one in every 170 or so scanned e-mails now contains Klez.

But unlike the Love Bug, which peaked and faded within 48 hours of its initial release, Klez has continued to spread steadily and swiftly since it was first spotted in mid-April.

Klez employs a number of random actions that make it hard for many computer users to identify the virus when it arrives in their inboxes. The virus arrives in e-mails with varying subject lines, or sometimes appears to be a bounced e-mail or a tool that can purge Klez from an infected system.

None of these features is at all new in the virus world. Klez's creator simply managed to cobble together a successful combination of techniques used by other viruses that also appear on the all-time most prevalent pest charts.

Read the rest of this article here
http://www.wired.com/news/technology/0,1282,52765,00.html

Klez: Don't Believe 'From' Line

Some Internet users have recently received an e-mail message from a dead friend. Others have been subscribed to obscure mailing lists. Some have lost their Internet access after being accused of spamming, and still others have received e-mailed pornography from a priest.

They're actually experiencing some of the stranger side effects of the Klez computer virus.

These ersatz e-mails containing the virus are creating Klez-provoked arguments and accusations that are now spreading as fast as the worm itself.

The latest variant of the Klez virus started spreading 10 days ago. The virus e-mails itself from infected machines using a bogus "From" address randomly plucked from all e-mail addresses stored on an infected computer's hard drive or network.

Recipients of the virus-laden e-mails, not understanding that the "From" information is virtually always phony -- or even that they have received a virus -- have been clogging networks with angry and confused e-mails that are causing a great deal of cyber-havoc. People signing up for newsletters and mailing lists that they never subscribed to has been a major source of frustration for both users and the list owners. If Klez happens to send an e-mail "from" a user to an e-mail list's automatic subscribe address, the list software assumes the e-mail is a valid subscription request and begins sending mail to the user.

A mailing list for fans of the Grammy Award-winning Steely Dan band has posted an explanation directed to those who were subscribed to the list by the virus.

"We are not infected with the Klez virus. We don't know if you are infected with the Klez virus. You may be. But even if you are not, someone out there who is infected has both your address and our address on their computer ... and therein lies the problem," the explanation reads, in part.

Read the rest of this artcle at:
http://www.wired.com/news/technology/0,1282,52174,00.html

* Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP client, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
* If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
* Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
* Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
* Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
* Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
* Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.