Why the Klez worm just won't go away

COMMENTARY--Soon after a virus or worm wreaks havoc across the globe, it's often followed by copycat variants. For example, within days of the original ILOVEYOU virus infection that took place two years ago, some 40 ILOVEYOU variants circulated on the Internet, each with its own distinctive quirk.

Why is this? Because for every virus that is successful (i.e., can spread itself and do damage on remote computers), there are hundreds of viruses that never see the light of day. So when a virus manages to unleash itself on the world, other virus writers try to ride that success and personalize the digital miscreant with their own messages. Luckily, most antivirus programs can stop these copycats before they hit your computer.

SINCE THE FIRST of this year, I've seen variants of popular viruses that are quite robust. The copies are often stronger than the original, as though the primary author was not satisfied with the original release and tweaked it to make it more destructive.

First, the Maldal family descendants Reeezak and Maldal.I appeared around the New Year. Then, at the end of March, several versions of the MyLife worm cropped up. Currently, a new version of the Klez worm is circulating worldwide.

The original Klez.A worm first appeared in October 2001, arriving as an e-mail in which the sender asked for employment. Within the body text of the original Klez.A e-mail, the author wrote:

I'm sorry to do so, but it's helpless to say sorry. I want a good job, I must support my parents. Now you have seen my technical capabilities. How much my year-salary now? NO more than $5,500. What do you think of this fact? Don't call my names, I have no hostility. Can you help me?

WHAT DISTINGUISHES KLEZ from other worms is that it carries a second virus, the Elkern virus. Thus, Klez is sometimes known as the "twin virus." The original Elkern virus infected only executable files on Windows 2000, by injecting virus code into empty file cavities. The upgraded Elkern.C virus (available in Klez.H) now infects executable files on all platforms of Windows.

The author apparently sees Klez as a work in progress, even providing within the code a text file that explains what is different in this new release. Here's part of the text included within the latest release:

Win32 Klez V2.01 & Win32 Foroux V1.0 Copyright 2002,made in Asia
About Klez V2.01:
1,Main mission is to release the new baby PE virus,Win32 Foroux
2,No significant change.No bug fixed.No any payload.
About Win32 Foroux (plz keep the name,thanx)...
Not bug free,because of a hurry work.No more than three weeks
from having such idea to accomplishing coding and testing.


(Note: Win32.Foroux is the author's name for the Elkern virus.)

Judging by clues within the Klez worm code, some believe it may originate from the Guangdong province of China--the same place where last summer's Code Red is thought to have come from.

WHAT CAN BE DONE to better protect you from virus copycats? More antivirus software makers should offer one signature definition file designed to block all probable variations of a single family of viruses. Some vendors already do this. Also, you should be vigilant about keeping your antivirus software up to date with the latest virus signatures.

Until both you and all the antivirus companies take these precautions, every time a new "successful" virus appears, you can expect at least one or two robust variations to follow.

What else can be done to better protect everyone from copycat viruses? Who should shoulder the responsibility? End users or antivirus companies? TalkBack to me below.