Klez 101Michael Shumko

What’s Coming Up

The Klez Virus/Worm How Klez Gets In Damage Distribution Protection Next Steps To Learn More

The Klez Virus/Worm

Klez first appeared in October 2001

Variants are still making the rounds in September 2002

Affects Windows computers Does not affect Macintosh, Unix,

Linux, others

How Klez Gets In

Exploits a vulnerability of Microsoft Outlook Microsoft Outlook Express Microsoft Internet Explorer 5.x

No need to execute the attachment Simply open or preview the

message

Preview Pane

Damage

Infects executable files with itself Copies itself to network shares Disables some common anti-virus

products Sets itself up to start with Windows Drops a copy of the Elkhern virus

Damages files by overwriting with zeros

Distribution

Large scale e-mailing Uses its own SMTP engine Subject and attachment name are

random May release confidential data

Distribution (cont.)

“To” addresses found in Local files Windows and ICQ address books

“From” address is spoofed Can masquerade as an immunity

tool Can masquerade as “postmaster

bounce” messages

Distribution (cont.)

Your PCAnti-Virus

ISPAnti-Virus

Klez worm

Outlook Mail service

FIREWALL

Protection

Use basic security “best practices” Keep patch levels up to date Scan incoming mail for viruses Use firewall to stop outbound

Next Steps

To Learn More

My web site http://members.shaw.ca/mike-

shumko/av/ Microsoft security bulletins

MS01-020 re MIME headers Anti-virus manufacturers

Norton / Symantec McAfee

Thank you