Klez worm variant infests UK

A new version of the Klez email worm, discovered earlier this week, has spread rapidly in the past few hours. The UK is at the top of the attack list

A variant of the Klez worm which resurfaced earlier this week has begun to spread extremely quickly, with the UK as its top target, according to an antivirus firm.

UK-based MessageLabs said the Klez.H worm, which spreads via email, has proliferated "dramatically" during the day on Friday. Email security firm MessageLabs first detected the new variant on Monday, coming from an Internet address in China.

Klez.H, as it is called by most antivirus vendors, is a modified version of a worm that has been around for months. With the new version the code has been changed enough that it can slip past antivirus software. However, most antivirus vendors, including Symantec, McAfee and Sophos, have offered Klez.H patches since Wednesday.

MessageLabs said it stopped two copies of Klez variants on Monday. From Wednesday afternoon the number of copies rose sharply, and gathered pace on Friday. The firm said it stopped several thousand copies on Friday, for a total of more than 46,000 copies by Friday afternoon, nearly 1 in every 77 emails.

The UK topped its list with more than 5,000 copies stopped, followed by Hong Kong and the US.

Different variants of the Klez worm have generally been among the top three antivirus threats since the first version of the worm was released in January. The Klez.e variant, which appeared last February, was particularly voracious, quickly becoming one of the fastest-spreading worms on the Internet.

Security-software maker Symantec upgraded the latest variant, which it labelled W32.Klez.H, to a threat level of three from a previous rating of two. The company categorises threats on a scale of one, the lowest threat, to five.

The worm arrives in an email message with one of 120 possible subject lines. There are 18 different standard subject headings, including "let's be friends", "meeting notice", "some questions", and "honey". On top of those, seven other patterns exist, such as "a x game" and "a x patch", where x can be one of 16 different words, including "new", "WinXP", and the name of any of six major antivirus companies.

In many circumstances, the worm doesn't need the victim to open it in order to run. Instead, it takes advantage of a 12-month-old vulnerability in Microsoft Outlook, known as the Automatic Execution of Embedded MIME Type bug, to open itself automatically on unpatched versions of Outlook.

The malicious program will find any network storage available on the infected PC and copy itself to the remote disk drives using a random file name and a .EXE, .PIF, .COM, .BAT, .SCR or .RAR extension. Occasionally, the file name will include a double extension.

The program will also cull email addresses by searching a host of different file types on the infected PC. Using its own mail program, the worm will send itself off to those email addresses. In addition, it will use the addresses to create a fake "From:" field in the email message, disguising the actual source of the email.

Finally, the worm attempts to disable antivirus software by deleting registry keys, stopping running processes and removing virus-definition files.

The worm also sports a message in its code from the author, who brags that it only took three weeks to create the malicious program.

The author claims the virus originated in Asia and may have bugs because of how fast he created it.

CNET News.com's Robert Lemos contributed to this report.

For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Viruses and Hacking News Section.

Have your say instantly, and see what others have said. Go to the Security forum.

Let the editors know what you think in the Mailroom.