Despite dire predictions from some anti-virus companies of widespread file deletions and other damage, the supposed activation of the payload carried by the Klez.E Internet worm turned into a major non-event Wednesday.
The worm, discovered in January, is a typical mass mailer, and most anti-virus vendors have it listed as either a low or medium risk. However, it has a date-activated payload that is supposed to execute on the sixth day of March, May, September and November and delete common file types such as .doc, .txt, .html and others.
This, coupled with a slow increase in the number of infections in recent weeks, was enough for some vendors to send e-mail messages to customers warning that Klez could run rampant in their networks Wednesday, trashing files with abandon.
The problem with this scenario is twofold: First, the worm is 2 months old and any enterprise with anti-virus protection would have been protected against it long ago. And second, the payload often fails to activate.
“The payload that people are claiming will activate [Wednesday], we cant even get it to work in the lab,” said Vinny Gullotto, director of research at McAfee Securitys AVERT Labs, a part of Network Associates Inc., in Santa Clara, Calif. “Ive heard nothing in the last two months about this payload damaging peoples PCs. Its totally alarmist from my perspective.”
If Klez is likely to affect anyone at this stage of its life, it would be home users, Gullotto added, because most enterprises have had updated anti-virus signatures capable of detecting the worm for more than six weeks.
“Most enterprises probably havent even seen it in their environments,” he said.