A New Form of Computer Worm May Slip Past Antivirus Scanners

A New Form of Computer Worm
May Slip Past Antivirus Scanners

By RIVA RICHMOND
DOW JONES NEWSWIRES

NEW YORK -- After fiddling for about a week with the code, the author, or perhaps authors, of the "Klez" family of computer viruses hit the jackpot.

The program, known as a worm because it replicates on its own, was finally different enough from other known viruses that it could slide by some antivirus scanners.

With roots going back to late October, this version of Klez -- the third in a week -- emerged out of Asia on Monday and was global by Wednesday morning, infecting Europe and the U.S., said Alex Shipp, senior antivirus technologist at MessageLabs, a United Kingdom-based e-mail filtering company. The firm has dubbed the worm "Klez.K," though more antivirus companies have called it "Klez.H."

The tweaking process, which produces multiple versions all logged by antivirus-software companies, appears to be an escalating trend in the world of virus writing.

Mr. Shipp said MessageLabs has blocked 10 versions of the "MyLife" virus since the beginning of the year and about 30 versions of the "Shoho" virus in the last two weeks.

Klez.K spreads in a number of ways. Like other mass-mail worms, it multiplies by sending itself out to everyone in a victim's Outlook e-mail program after an infected attachment is opened. The e-mail can have different subject lines and can carry file attachments with different names. The message text can also vary, but at least one version invites the recipient to click on the attachment to play a game.

Klez.K also tries to spread through shared file systems, which are used by many companies, said Sharon Ruckman, senior director of Symantec Corp.'s Symantec Security Response. And it can infect Microsoft Explorer files and try to use them to spread further, she said.

Infection could open up a computer to further virus assault. The virus tries to delete or disable most antivirus programs.

Since Monday, MessageLabs has kept about 3,000 copies of Klez.K from reaching its customers, a tally that marks the outbreak as medium sized, Mr. Shipp said.

Network Associates Inc.'s McAfee virus program, which is in wide used among corporations, was among those able to block Klez.K. That likely tempered the size of the outbreak, Mr. Shipp said. Still, risk of infection remains somewhat high, though it should subside now that most antivirus-software makers have updated their programs.

Symantec, maker of Norton antivirus software, called the risk level a "three" on a scale of one to five. "It's not a monster like Code Red or Nimda, but it is a moderately sized event," said Roger Thompson, technical director of malicious code research at TruSecure Corp. "It's not new enough or different enough to be really successful. But that's just a matter of time."

​