The Klez virus is a mass-mailing e-mail worm that also attempts to copy itself to network shares. The worm uses random subject lines, message bodies, and attachment file names. There are currently nearly a dozen or so variations of this virus. I typically receive a handful of infected messages every day and they have become easy to identify, even if my Norton’s Anti-virus hadn’t already taken care of them for me automatically.

The worm exploits a vulnerability in Microsoft Outlook and Outlook Express in an attempt to execute itself when you open or even preview the message in which it is contained. Information and a patch for the vulnerability are available since March 2001 at  Microsoft . The worm overwrites files and creates hidden copies of the originals. In addition, the worm drops the virus W32.Elkern.3587 (Symantec's designation).

The worm attempts to disable some common antivirus products and has a payload which fills files with all zeroes, thereby destroying the original content and preventing programs from running.

By now you are saying So? What's different about this? What is different about this virus, is how it works. Say you have 20 names in your Outlook Express address book, and you got infected with this virus. The virus will try and send itself to all 20 names, from your address, in the hopes that your friends will open mail from you because they know you. Then the virus will take address number 1, spoof the message so it appears that address is the sender, and try sending to all 20 addresses again. And then use address #2, #3, etc. I have received mail that was spoofed in such manner, appearing to come from me, to me, but when you looked at the header message, you could see the IP address was not the same as what that sender normally used. When you reply to the sender, to let them know you received an infected file, if the virus was spoofing addresses, you won't be telling the infected computer owner anything because your message will be going to the spoofed address instead.

Revealing the headers is a bit tricky and varies by e-mail program. In the latest Eudora 5.1 version program, while you are reading a message, you have a button on the tool bar that says "blah". Clicking on that button reveals all of the code. 

In Outlook Express 6.0, click on a message, then go to File and select Properties and then click on Details to see the full headers. If you want to copy the source into another file, click on the Message Source button to open the file in a format similar to Notepad that would allow you to copy and paste the text with your mouse. Most of the virus infected messages I have received, have originated from a person using Outlook Express.

Look at the infected message’s headers, write down that digital IP address (like the 204.152.187.123 address in the example) and then do the same for a normal message from that sender. See if they appear to be similar. If someone is on a dial-up account with their ISP, their IP addresses will change from call to call, but ought to be at least in the same sequence of IP addresses most likely. Some DSL and Cable customers have reported that their IP addresses seem to be rather stable, even though that is never promised by the Internet Provider unless you paid extra for it.

Don’t get your feelings hurt if someone accuses you of having an infected computer. If you know your anti-virus files are current within a few days or a week, if you have been stopping inbound Klez viruses in your own mail, then you aren’t likely to be the culprit with the infected computer. But if someone tells you about this, and you had never seen a warning message from your anti-virus program, you might want to download the free removal tool from Symantec or another source just to test your computer. And then you might want to update your anti-virus program or buy a newer version of it as soon as possible.

Next month I plan to discus how to get rid of your old computers in a safe, legal and environmentally free manner. Did you know that the city's trash pick up folks aren't supposed to pick up certain computer components? Of course, my experience has been that anything put out on the sidewalk overnight, especially with a for sale sign on it, will disappear within a few days at the most. One man's trash is another man's treasurer apparently.