Detected only last week (April 17' 2002), Klez virus has taken notorious proportion in a very short span of time causing large scale destruction and mayhem in e-mail community. Symantec (Norton Anti-Virus) has been quick to upgrade the threat level from level 2 to level 3 within a week !

Like many of its predecessors, Klez virus comes as attachment in e-mail. However, unlike its predecessors, the e-mail disguises as a friendly tip or warning from someone YOU REGULARLY RECEIVE MAIL.

Not that apparent sender's computer is infected, but the virus is intelligent enough to pick up as sender such a mail address from infected computer's Inbox, Outbox, Address Book or ICQ that is unlikely to raise suspicion in receiver's mind.

We have received e-mails laced with Klez virus that seem to have originated from as varied and dependable sources as Worldbank, Yahoo, and even helpdesk@del1.vsnl.net.in !

So, if you receive e-mail from infobanc with file attachment - DELETE IT IMMEDIATELY ! We never send e-mail with file attachment without prior permission from receiver.

HOW TO DETECT THE VIRUS

Symantec (http://www.symantec.com) has given detail information on how to detect e-mails containing Klez virus. The e-mail will have one or two file attachments and a Subject line like following:

• Undeliverable mail--"[Random word]" 
• Returned mail--"[Random word]" (e.g. Returned mail--"honey" )
• a [Random word] [Random word] game (e.g. A special excite game)
• a [Random word] [Random word] tool (e.g. A very useful tool
• a [Random word] [Random word] website (e.g. A very funny website)
• a [Random word] [Random word] patch (e.g. A IE 6.0 patch)
• [Random word] removal tools
• how are you
• let's be friends
• darling
• so cool a flash,enjoy it
• your password
• honey
• some questions
• please try again
• welcome to my hometown
• the Garden of Eden
• introduction on ADSL
• meeting notice
• questionnaire
• congratulations
• sos!
• japanese girl VS playboy
• look,my beautiful girl friend
• eager to see you
• spice girls' vocal concert
• japanese lass' sexy pictures

HOW THE VIRUS DAMAGES YOUR COMPUTER

According to Symantec, the virus can impart damages in following ways:

Payload:

This worm infects executables by creating a hidden copy of the original host file and then overwriting the original file with itself. The hidden copy is encrypted, but contains no viral data. The name of the hidden file is the same as the original file, but with a random extension.

Large scale e-mailing:

This worm searches the Windows address book, the ICQ database, and local files for email addresses. The worm sends an email message to these addresses with itself as an attachment.

Releases confidential info:

Worm randomly chooses a file from the machine to send along with the worm to recipients. So files with the extensions: ".mp8" or ".txt" or ".htm" or ".html" or ".wab" or ".asp" or ".doc" or ".rtf" or ".xls" or ".jpg" or ".cpp" or ".pas" or ".mpg" or ".mpeg" or ".bak" or ".mp3" or ".pdf" would be attached to e-mail messages along with the viral attachment.

DETECTION AND REMOVAL

For all its stealth technology and intelligence, fortunately detection of Klez virus and removal is not difficult. First of all, if you delete the e-mail without opening the file attachment -you are safe. In case you or your staff accidentally opens the attachment and the computer gets infected, detection and removal is comparatively easy. The virus binds itself to a random file in Windows/System directory. Symantec has given step by step instruction on how to detect its presence from Windows Registry file. In case you find your system infected, follow the removal instructions in www.symantec site.

Related Links:

• How to Avoid Virus Attacks and Security Threats

Source: FAIDA - Newsletter on Business Opportunties from India and Abroad Vol: 3, Issue 4 April 25' 2002