Skip to content
Tips for Tech

Tech Alert Briefing for 4/25/2002

Klez Worm Reels in Banks with its Bait

New variations of the Klez virus began to circulate late last week and it appears that many financial institutions have been trapped by the bait.

Within the past few days we have received dozens of infected emails from bankers, indicating that their systems have been compromised by the KLEZ virus.

We urge all financial institutions to download the latest signature files from their anti-virus software makers. In addition, it is important to ensure that all computer systems using Outlook Express are updated with the latest patch to protect against exploiting a MIME vulnerability.The MIME Header Patch for IE can be downloaded from Microsoft.

Description of Virus

The Klez virus camouflages itself in a variety of ways:

  1. It can spoof the sender's email address, making it look like the email came from someone else who is NOT the infected party;
  2. There are at least 120 different "Subject" lines that may be used by the virus.One of the most common is "Some questions".
  3. It doesn't merely send out infected emails to those in the user's Outlook address book.It can grab email addresses from a variety of sources.

One variation that we have seen repeatedly throughout the day is a message that masquerades as a free immunity tool agains the Klez.E virus.We have received dozens of infected emails with the heading:

Subject: Worm Klez.E Immunity

Body: Klez.E is the most common world-wide spreading worm. It's very dangerous by corrupting your files. Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it.We developed this free immunity tool to defeat the malicious virus. You only need to run this tool once,and then Klez will never come into your PC.NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV monitor maybe cry when you run it. If so,Ignore the warning,and select 'continue'. If you have any question,please mail to me.

"Mail to me" appears as a hot link which, if executed, contains the virus. Note that unpatched version of IE cancause thee-mail attachment to execute bysimply opening or previewing the message in a vulnerable mail client resulting in infection of the victim machine.


Help Wanted -- Domain Name Czar

There should be a designated "domain name protector" within your institution -- someone who knows and understands which domain names you own, how to protect them, and can distinguish between legitimate domain-related correspondence and the growing variety of domain-related scams.

Recent scams, besides the one subject to today's FTC action, have been on the rise as we have reported in a previous alert. We give plenty of advice in past articles and GURU answers to help you stay alert.

Previous Tech Alerts:
04/11/02 Ten New Vulnerabilities Discovered in Microsoft IIS Server
04/09/02 New Virus Hoax Circulating Around Net
03/22/02 MyLife.B Virus Makes Its Way Around the Net
03/21/02 Microsoft Updates Its Warning on Critical Windows Vulnerability
03/14/02 New Virus (W32/Fbound-C) Spreading Rapidly in the Wild
03/08/02 Unauthorized E-Mail Scam Attempts to Steer Unwitting Customers to Fraudulent Bank Web Site
03/06/02 Klez-E Worm and W32.Gibe Virus Warnings
03/01/02 CERT Issues Warning on PHP Scripting Language Flaw
02/27/02 CERT Issues Warning on Internet Explorer and Outlook Flaw
02/22/02 SNMP Patches and Detection Tools Available
02/20/02 Email Address Belonging to Legitimate Security Site Hijacked to Deliver Dangerous Yarner Worm
02/15/02 Mass Mailing Email Worm Compromises Word 2000 Security Settings
02/07/02 Bloodhound Mass Mailing Worm and Managing Risks in Wireless Networks
02/04/02 Microsoft Issues Collection of Security Fixes for Windows 2000
01/31/02 Copycat Virus Unleashed
01/30/02 Netscape Browser Vulnerable to Cookie Theft
01/28/02 "My Party" Mass Mailing Worm
01/18/02 IT Contingency Planning Guide, Information Security Checklist and Solaris Vulnerability
01/15/02 Trojan.StartPage Alters Web Browsers
01/12/02 New Internet Worm Gigger Masquerades as Microsoft Outlook Upgrade
01/08/02 Microsoft Universal Plug and Play Vulnerability
12/20/01 Holiday Themed Computer Virus Unleashed

First published on 04/24/2002

Briefing type: 

Banker Tools View All

A collection of useful resources for various areas of the bank which have been developed by members of the BankersOnline staff or have been created and contributed by users of the BankersOnline site.

Banker Tools

Penalties View All

Banker Store View All

From training, policies, forms, and publications, to office products and occasional gifts, it’s available here:

Banker Store

hot right now

image description

Looking for effective, convenient training on a particular subject?

BOL Learning Connect offers more than 200 courses ON-DEMAND or on CD ROM from AML to Reg Z and every topic in between.

Search Briefings

Briefing Archives