Klez (computer worm)
Encyclopedia
Klez is a computer worm
that propagates via e-mail
. It first appeared in October 2001. A number of variants of the worm exist.
Klez infects Microsoft Windows
systems, exploiting a vulnerability in Internet Explorer
's Trident
layout engine, used by both Microsoft Outlook and Outlook Express
to render HTML
mail.
The e-mail through which the worm spreads always includes a text portion and one or more attachments. The text portion consists of either an HTML
internal frame tag which causes buggy e-mail clients to automatically execute the worm, or a few lines of text that attempt to induce the recipient to execute the worm by opening the attachment (sometimes by claiming that the attachment is a patch from Microsoft; sometimes by claiming that the attachment is an antidote for the Klez worm). The first attachment is always the worm, whose internals vary.
Once the worm is executed, either automatically by the buggy HTML engine or manually by a user, it searches for addresses to send itself to. When it sends itself out, it may attach a file from the infected machine, leading to possible privacy breaches.
Later variants of the worm would use a false From address, picking an e-mail address at random from the infected machine's Outlook or Outlook Express address book, making it impossible for casual observers to determine which machine is infected, and making it difficult for experts to determine anything more than the infected machine's Internet Service Provider.
Computer worm
A computer worm is a self-replicating malware computer program, which uses a computer network to send copies of itself to other nodes and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a computer virus, it does not need to attach...
that propagates via e-mail
E-mail
Electronic mail, commonly known as email or e-mail, is a method of exchanging digital messages from an author to one or more recipients. Modern email operates across the Internet or other computer networks. Some early email systems required that the author and the recipient both be online at the...
. It first appeared in October 2001. A number of variants of the worm exist.
Klez infects Microsoft Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
systems, exploiting a vulnerability in Internet Explorer
Internet Explorer
Windows Internet Explorer is a series of graphical web browsers developed by Microsoft and included as part of the Microsoft Windows line of operating systems, starting in 1995. It was first released as part of the add-on package Plus! for Windows 95 that year...
's Trident
Trident (layout engine)
Trident is the name of the layout engine for the Microsoft Windows version of Internet Explorer.It was first introduced with the release of Internet Explorer version 4.0 in October 1997; it has been steadily upgraded and remains in use today...
layout engine, used by both Microsoft Outlook and Outlook Express
Outlook Express
Outlook Express is an email and news client that is included with Internet Explorer versions 4.0 through 6.0. As such, it is also bundled with several versions of Microsoft Windows, from Windows 98 to Windows Server 2003, and is available for Windows 3.x, Windows NT 3.51, Windows 95 and Mac OS 9...
to render HTML
HTML
HyperText Markup Language is the predominant markup language for web pages. HTML elements are the basic building-blocks of webpages....
mail.
The e-mail through which the worm spreads always includes a text portion and one or more attachments. The text portion consists of either an HTML
HTML
HyperText Markup Language is the predominant markup language for web pages. HTML elements are the basic building-blocks of webpages....
internal frame tag which causes buggy e-mail clients to automatically execute the worm, or a few lines of text that attempt to induce the recipient to execute the worm by opening the attachment (sometimes by claiming that the attachment is a patch from Microsoft; sometimes by claiming that the attachment is an antidote for the Klez worm). The first attachment is always the worm, whose internals vary.
Once the worm is executed, either automatically by the buggy HTML engine or manually by a user, it searches for addresses to send itself to. When it sends itself out, it may attach a file from the infected machine, leading to possible privacy breaches.
Later variants of the worm would use a false From address, picking an e-mail address at random from the infected machine's Outlook or Outlook Express address book, making it impossible for casual observers to determine which machine is infected, and making it difficult for experts to determine anything more than the infected machine's Internet Service Provider.
See also
- Notable computer viruses and worms
- List of computer viruses
- Computer viruses