Klez Worm Making Comeback

A new variant of the Klez worm is making the rounds on the Internet, spreading rapidly in Asia and parts of Europe.

Klez.H is a mass-mailing worm that is little different from its older siblings in that it spreads by mailing itself to all of the addresses in the infected machines Microsoft Corp. Outlook address book. It is also capable of infecting files on shared network drives and copies itself to the Windows registry and modifies the registry so that the virus will execute each time the machine boots up.

Klez.H also attempts to disable any anti-virus software resident on the machine.

The only real distinctions in the new version are a different set of random subject lines for the e-mail message that carries the worm and a little better social engineering on the part of the author.

In one of the messages containing the worm, there is a note explaining that the attached file is actually a tool that can cleanse infected PCs of Klez.

“The main difference is that this ones spreading,” said Roger Thompson, director of malicious code research at TruSecure Corp., a managed security service provider in Herndon, Va. “Its gotten lucky and gotten into one or two big companies. And because it can worm its way onto network shares, that tends to be painful.”

The new variant seems to have originated in Asia, and Message Labs Ltd., a U.K.-based managed mail services provider that tracks virus activity, had already stopped more than 2200 copies of it as of 4 p.m. EDT Wednesday.

The worm is also known as Klez.K, Klez.G and Klez.I.