Klez is a virus that we saw a lot of action from in May. This is due to some of the versions that have a payload that is activated on the 6th and 13th of odd months. A lot of the activity is simply due to the amount of time that the virus has been out. The original versions, W32.Klez.A@MM and W32.ElKern.3326 were discovered October 25, 2001. Five other versions have been discovered since then. Most of the variants utilize the Mime exploit that is discussed in Microsoft Security Bulletin MS01-020 that was released March 29, 2001 along with the patch to fix the problem. This is a vulnerability that is present in versions of Internet Explorer and the way that it handles HTML e-mails.

Because HTML e-mails are really web pages, Internet Explorer is used to handle them when they are opened or previewed in the preview pane of Microsoft Outlook and Outlook Express. A flaw exists in the type of processing that is specified for certain unusual MIME types. MIME is an acronym for Multipurpose Internet Mail Extension. It is an Internet standard for encoding binary files as e-mail attachments. When an e-mail contains a binary attachment, it must specify what type of file the attachment is so the mail program can display it correctly.

With this vulnerability, Internet Explorer doesn’t handle certain MIME types correctly. In the case of the Klez virus, the writer has created an e-mail that contains an executable attachment, such as an exe, and then specified that it is one of these unusual MIME types. Because Internet Explorer has been told by the e-mail that this attachment is something other than the executable that it is, Internet Explorer will try to render or display the file without asking the user if he would like to run the program or save it to a folder. The attacker could send a program that could do anything that the current user has the right to do on this particular computer.

After the program is run, your system could be affected in many ways depending on what version of the virus that you have received. One of the versions will drop another version into you system that will then go to work. Another part of the virus could begin to look through your address book, the ICQ database and local files (such as .HTML and text) for e-mail addresses. It will then use its own SMTP engine and begin sending itself to all the addresses it finds along with an attachment of itself. Some of them will even use one of the e-mail addresses from your address book as the reply to address so that the e-mail doesn’t look like it came from you. This would make it a real problem in tracking down who is sending the virus out. Someone from your address book, who may not have the virus, will be getting e-mails from people that you are sending infected e-mails to. Who needs enemies with friends like this?

Another version will attempt to disable any antivirus software that is installed on the system. It will start by removing the registry keys that start the antivirus programs and then deleting checksum files that the antivirus programs use to look for changes to files. If the antivirus program were up to date the virus would not have a chance because it would be exposed before it had a chance to do its dirty work. Other types will begin to infect files in the system folder as well as its subfolders and any other drive that are on the system including mapped network drives. Other variants will change the executable files in the Windows and Windows\System folder to either 1kb or 0kb instead of infecting them. Sooner or later Windows will just quit on you and you will not be able to restart it.

Are we getting the idea here? I have only given you some examples of the many ways that this one variant of virus gets into your system. From what I can find, there are seven variants of the Klez virus. There is a big difference in what the different version will do to your system from the mild annoyance to the destruction of your operating system. All of these problems can be avoided by taking advantage of the tools that are available to you. A good antivirus program that is kept up to date along with an operating system that is kept up to date is all you need to save you the heartache that usually accompanies a virus infection. Have a plan to keep your systems up to date and follow thru with the plan and you won’t need to make the visit to the computer doctor.