[OFFTOPIC] Wired News :Klez Worm, Not Sender, Hates You (fwd)

To: s-asia-it@apnic.net
Subject: [OFFTOPIC] Wired News :Klez Worm, Not Sender, Hates You (fwd)
From: Frederick Noronha <fred@bytesforall.org>
Date: Wed, 8 May 2002 16:53:15 +0530 (IST)
Sender: owner-s-asia-it@lists.apnic.net

Apparently the virus pretends to come from the computer of someone who
didn't have anything to do with it! FN

---------- Forwarded message ----------

From Wired News, available online at:
http://www.wired.com/news/print/0,1294,52055,00.html

Klez Worm, Not Sender, Hates You
By Michelle Delio

2:00 a.m. April 24, 2002 PDT

Klez, the virus that's currently bombarding e-mail inboxes, appears to
be hurting people more than computers.

The virus arrives attached to an e-mail that typically appears to have
been sent by someone the recipient knows.

Many computer users say that friends, co-workers and business
associates are angrily -- or patronizingly -- accusing them of sending
out viruses. Some victims say they fear their professional reputations
have been harmed.

"I've gotten a couple of dozen copies of this virus today, as well as
a dozen or so e-mails informing me that my computer is infected with
Klez," said Nadine Gormer, an author of technical manuals. "Several of
these e-mails came from clients, and I am really upset that they think I
was stupid enough to open a virus attachment."

Receiving an e-mail containing the Klez virus "from" someone does not
indicate that their computer is infected or that they sent the virus,
antiviral experts said. Klez spoofs "From" information in the e-mails the
virus sends.

It's good that the experts know that, since some Klez e-mails seem to
have been specifically intended to spark bad feelings in the antiviral
industry.

Some employees of antiviral application companies say they have
received Klez e-mails containing obscene and insulting messages that
refer to the recipient by name.

The Klez e-mail's "from" line attempts to indicate that the message
was sent from a person employed at another antiviral vendors' firm.

Klez e-mails that target antiviral company employees appear to be hand
sent. While standard Klez e-mails sometimes refer to a recipient's name
in the subject line, rude messages have so far not been included.

Once active on a computer, Klez searches for files containing e-mail
addresses. It randomly selects one as the "sender," and then transmits
e-mails with attachments containing the virus to the rest of the
collected addresses.

"I've gotten eight e-mails today from clients who accused me of
sending them a virus," Kit Calen, who owns her public relations firm in
Toronto, said.

Calen said she's worried the Klez e-mails that appear to come from her
will negatively impact her small business.

"Some of these e-mails also went to people I've been trying to get
business from," she said. "I can't imagine they will trust me with a
campaign for a tech firm after this."

Others are amused by the odd juxtapositions of their co-workers and
friends' names with the random subject lines that Klez adds to
virus-laden e-mails.

"I've gotten e-mails supposedly from the director of our firm pleading
with me to be his friend, and another from the head of a very large
investment firm advising me to look at Asian porn pics," said Mark
Kaufman, a stockbroker.

Klez e-mails' subject lines are randomly chosen from a pre-programmed
list of about 120 possibilities, including "Let's be friends," "Japanese
lass' sexy pictures," "Meeting Notice," "Hi Honey" and "SOS."

Klez had been typically arriving in e-mail with a message stating that
the attachment was an antidote for the Klez virus. But over the past
weekend, antiviral experts noted that the "inoculate" e-mails had dropped
off and the bulk -- though not all -- of Klez-infected attachments were
arriving in blank e-mails.

Klez also sends fake "returned" or "undeliverable" e-mails, advising
the supposed sender that their original, refused e-mail is contained in the attachment. Clicking on the attachment triggers the virus.

The virus can launch automatically when users click to preview or read
e-mails bearing Klez on systems that have not been patched for a year-old vulnerability in Internet Explorer, Outlook and Outlook Express. Klez only affects PCs running Microsoft's Windows operating system.

In most cases, users of Outlook XP, or those who applied Microsoft's
security update for older versions of Outlook, do not receive the attachments, but instead typically see an announcement that the message "contained script, which Outlook can't display."

In some cases, Klez, like its creepy cousin SirCam, has also been
snagging random files from infected machines and e-mailing them along with the virus-laden attachment. This activity appears to be totally random.

Although Klez has slowed a bit since Monday, antiviral firms are still
showing it's in heavy circulation, and most are reporting receiving "bursts" of the virus.

"All will be quiet for a while, then we'll suddenly receive a couple
dozen e-mails with Klez," Rod Fewster, a representative for the antiviral application NOD32 said.

Fewster and other virus watchers have also reported an upswing in
older releases of Klez. The creator, or creators, of Klez continuously tinkers with the virus and there have been a half-dozen variants since it was first spotted in October 2001.

When a computer is infected, Klez disables any antiviral software on
that computer.

Antiviral experts speculate that "spreaders," those who do not code
but instead collect and release others' viruses, decided to release older versions of Klez when the latest variant went active, hoping to take advantage of now unprotected PCs.

"Coders are all about their latest creations," Fewster said. "I can't
imagine the Klez coder re-releasing (an) antique variant on the same day as his latest little bundle of joy. I think there may have been two separate Klez releases by two different people on 17 April."