Klez 101 Michael Shumko
Jan 17, 2016
Klez 101Michael Shumko
What’s Coming Up
The Klez Virus/Worm How Klez Gets In Damage Distribution Protection Next Steps To Learn More
The Klez Virus/Worm
Klez first appeared in October 2001
Variants are still making the rounds in September 2002
Affects Windows computers Does not affect Macintosh, Unix,
Linux, others
How Klez Gets In
Exploits a vulnerability of Microsoft Outlook Microsoft Outlook Express Microsoft Internet Explorer 5.x
No need to execute the attachment Simply open or preview the
message
Preview Pane
Damage
Infects executable files with itself Copies itself to network shares Disables some common anti-virus
products Sets itself up to start with Windows Drops a copy of the Elkhern virus
Damages files by overwriting with zeros
Distribution
Large scale e-mailing Uses its own SMTP engine Subject and attachment name are
random May release confidential data
Distribution (cont.)
“To” addresses found in Local files Windows and ICQ address books
“From” address is spoofed Can masquerade as an immunity
tool Can masquerade as “postmaster
bounce” messages
Distribution (cont.)
Your PCAnti-Virus
ISPAnti-Virus
Klez worm
Outlook Mail service
FIREWALL
Protection
Use basic security “best practices” Keep patch levels up to date Scan incoming mail for viruses Use firewall to stop outbound
Next Steps
To Learn More
My web site http://members.shaw.ca/mike-
shumko/av/ Microsoft security bulletins
MS01-020 re MIME headers Anti-virus manufacturers
Norton / Symantec McAfee
Thank you