Klez Worm Is Back

A new version of the Klez worm is making the rounds across Europe and Asia, antivirus vendors warn. The new Klez variant, Klez.h, has medium destructive characteristics and high distribution potential, compared with other worms, Symantec Corp. says.

Klez.h spreads as an E-mail with a random attachment, message body, and subject line. When an E-mail is read, Klez copies itself to the Windows system directory and changes settings so the worm is launched each time Windows is started. The worm can also copy itself to shared drives, antivirus vendors say. Klez also attempts to disable many antivirus products, just like its predecessors.

Ironically, this mass-mailing worm also contains a message warning about the danger of the Klez worm and explains that the attached "antidote" should be clicked. An additional "social engineering" ploy contained in a footnote tells unwary users that they should ignore any antivirus warnings saying that the attachment is infected.

More than 300 infections have been reported by customers, antivirus firm Kaspersky Labs says, and roughly 60% of all virus reports to the company are Klez.h.

Companies should block dangerous attachments, including .exe, .vbs, .bat, and .src, from passing through their E-mail server.