[Dshield] RE:Question about Klez

James C. Slora, Jr. Jim.Slora at phra.com
Fri Jul 12 22:52:15 GMT 2002


"Mercy" wrote on Thu, 11 Jul 2002 14:16:53 -0400:

>I received an email today wich did not contain an attachment.  My mail
>program opens up the mail on the bottom of the list first, and when it
>did that, my norton poped up saying that the email contained a file
>named unknown093e.data, and that it was Klez.

Your system probably needs to have MS02-027 applied. Outlook or Outlook
Express should have stopped execution of Klez before Norton had a chance to
scan it when you looked at the message. In my experience you should get at
least two prompts before Norton gets to detect the virus.

>I just did a full system scan last night on my computer.  Nothing was
>found.

Norton AntiVirus will find most (but not all) variations of Klez as they
arrive in your email if you are using Outlook. If you use Outlook Express,
Norton does not scan for viruses until you open the message and save the
infected attachment or open it. Klez sometimes uses a trick called an
"iframe exploit" to cause the attachment to open itself without your
intervention as soon as you preview the message. In this case, Norton will
not catch the virus until it attempts to perform certain tasks such as write
a file on your computer - thus sometimes Norton will alert you to two
infected files when only one arrived in your message.

Infected messages sitting in your Inbox will not generally be detected by
anti-virus programs. They generally either catch the infections during
delivery or when you open the message. Some variants of Klez easily bypass
the scanning that occurs during delivery, because they are not really
attachments.

>How could I have gotten Klez from her without an attachment?

Klez and some other worms can sometimes arrive as embedded content that is
not technically an attachment. They use tricks in the way that they are
stored inside the mail message to avoid detection by anti-virus and mail
screening programs.

Embedded content is really a superset of all attachments and inline content.
It can be regular MIME or UUencoded content. Embedded just means that the
content is actually transmmitted with the original message. Attachments and
inline attachments are varieties of embedded content.

Some examples of embedded content:

Attachment - message listing shows an attachment and message preview shows
an attachment:
"Content-Disposition: attachment"

Inline Attachment - message listing shows an attachment, but message preview
shows none because the content is displayed within the HTML of the mail
message:
"Content-Disposition: inline"

Embedded content (generic), as used by Klez - Outlook will show no
indication of the existence of the content, but Outlook Express will show an
attachment icon for it:
"Content-ID: <(a unique alphanumeric identifier)>"


Example of One Type of Klez Message - Embedded Content (Not Attachment)
===================================================================
;;; The beginning of the message, just after the mail headers

--EiRO505k97vHjE52392
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

;;; The text portion of the worm's message (blank in this case)

;;; Then an IFRAME to help the worm bypass auto-execute prevention in
;;; moderately patched Outlook, Outlook Express, and Eudora.

<HTML><HEAD></HEAD><BODY>
<iframe src=3Dcid:L3dzGTvPf47B9zv height=3D0 width=3D0>
</iframe>
<FONT></FONT></BODY></HTML>

;;; This next part identifies the content that will be placed in the IFRAME.
;;; It is this content declaration that makes the worm generic "embedded
content" instead of an attachment.

--EiRO505k97vHjE52392
Content-Type: audio/x-wav;
	name=Nl.scr ;;;(This is where your "unknown093e.data" might be specified)
Content-Transfer-Encoding: base64
Content-ID: <L3dzGTvPf47B9zv>

;;; then the worm begins, MIMEbase64-encoded)


Example of a Hybris-Infected Message - Standard Attachment:
============================================================================
=========
Compare against Hybris, which uses a plain vanilla attachment to infect its
victims.

Return-Path: <>
From: Hahaha <hahaha at sexyfun.net>
Subject: Snowhite and the Seven Dwarfs - The REAL story!

;;; Declaration that there is mixed content, including inline or regular
attachments

MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--VE56NG9E3CL2R"

----VE56NG9E3CL2R
Content-Type: text/plain; charset="us-ascii"

;;; The text portion of the worm's message (omitted here)
;;; Then the attachment declaration

----VE56NG9E3CL2R
Content-Type: application/octet-stream; name="midgets.scr"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="midgets.scr"

;;; then the worm begins, MIMEbase64-encoded)

>Also, it was a legitimate email, not one that would have been
>automatically sent by the virus.

Klez uses random content for its message, and can attach non-viral files
from the sender's system in addition to the virus.

Klez can send some very legitimate-looking email messages on its own. Also,
copies of Klez that were infected with other viruses have arrived on my
network. When one virus infects another, some strange things can happen.
There are a lot of other possibilities - definitely get your contact to
check their PC out thoroughly.

Remember that Klez often fakes the sender's address. The "Return-to" field
in the message header often indicates the true source.

- Jim




More information about the list mailing list