Computer and Web Security

Klez worm variant tops virus chart
The latest and friskiest versions of the Klez worm were by far the most active computer threat last month, according to a new report from British antivirus company Sophos. The Klez.g and Klez.h worms were responsible for 77.8 percent of all virus infections in April, according to the report.

A C|Net.com report | Read Full Story

Unlike most viruses, this one does NOT need you to open an email attachment, just opening or previewing the message in Outlook or Outlook Express is enough in the right circumstances.

Despite the threat against their products you won't find anything directly relevant on the Microsoft web site unless you know the code words - and even then you have to check the fineprint.

Given the situation and lack of direct information from Microsoft I got a headache trying to find out what was going on. So I delegated the whole thing to Peter Deegan (This is an Woody's Windows Watch Report-WOW) who is a past master at divining glimmers of fact from behind the obfuscation that Microsoft employs.

Return to the Klez Index

WHAT KLEZ DOES
The Klez virus variants work by fooling Windows into running an email attachment as soon as you read or preview the message. That means the normal advice to avoid email attachments isn't enough.

This vulnerability has been known since at least May 2001 and the possibility of viruses spreading just by reading message long before that. As a result some of the patches from Microsoft have slowed the spread of this virus, however as events of the last few days have proved not enough computers have been protected.

Klez will spread itself to other email addresses it finds in your Windows address book, ICQ lists and files you have saved to your hard drive.

The message it generates in outgoing messages can have a variety of subject lines, body text and attachments. There's no use trying any simplistic protection method against messages with certain names or files, for you need to make sure your copy of Internet Explorer and occasionally Outlook Express is updated.

Return to the Klez Index

BLAME IT ON INTERNET EXPLORER!
While the virus is spread by email, it is neither Outlook nor Outlook Express that is to blame - it is your copy of Internet Explorer that needs fixing.

Why Internet Explorer? Outlook and Outlook Express uses IE to display HTML formatted email messages. When you look at a HTML message in the preview pane or open message window you're actually looking at a browser window. So any vulnerability of Internet Explorer is 'inherited' by the email program.

Don't worry about what version of Outlook or Outlook Express you have - it is your browser that may need fixing.

Return to the Klez Index

WHICH VERSIONS OF IE
According to Microsoft only computers with these versions are vulnerable:

But if you look in the fine print you'll also find that Internet Explorer 6 can still be vulnerable! If you have:

I don't know about you but I can't remember what I installed yesterday, let alone the install option I might have chosen a year or more ago! Thankfully some more digging on the Microsoft web site will reveal an answer:

The problem with the minimal or custom installs is that they don't update Outlook Express. If you think you might be in the above group them open up Outlook Express and make sure the version number starts with a 5 then you need to reinstall IE 6 with either Typical or Full options - the download page is here
http://www.microsoft.com/windows/ie/downloads/ie6/default.asp

Return to the Klez Index

WHO IS SAFE?
Windows XP users are safe (they have a complete IE6 package as part of the operating system).

Windows NT 4 and Windows 2000 users with IE 6 are also safe (there's no minimal or custom upgrade option when moving to IE 6, so Outlook Express is always updated)

Users of Internet Explorer 5.01 with Service Pack 2 (check Help | About screen) are OK.

Return to the Klez Index

If you've been checking Windows Update occasionally (In IE, Tools | Windows Update) then you may be already applied these patches.

You might decide this is the time to switch to Internet Explorer 6 - it is a large download but it has been out for sometime now and is pretty stable. If you choose this route then make sure choose either the Typical or Full install options.

Naturally you should make sure your anti-virus software is up to date with the latest virus information.

WHAT ABOUT OTHER BROWSERS?
You might be sitting back with a smug feeling knowing that you use Netscape, Opera or some other browser. Think again.

For starters, even if you've selected another program as your default browser, IE is still lurking on your computer and is used by Outlook and Outlook Express to display messages. So even if you don't use directly, you have to make sure IE is patched.

In the short time we've had to prepare this issue we've not been able to establish the possibility of a Netscape vulnerability. Since Netscape's Messenger email program uses the Netscape browser to display messages it is theoretically possible. We suggest you ensure you have the latest updates for your browser as a precaution. This is Netscape version 6.2.2

Return to the Klez Index

CONFUSED? SO IS MICROSOFT!
If you think all of the above is an awful mess, you're right.

You might think that an email virus that targets Microsoft's operating system / browser would be worthy of a mention to their customers. You'd be wrong.

You can be sure that many na‹ve people would turn to the Microsoft company web site for help. They only find assistance if they know (by telepathy presumably) to go an article headed 'Incorrect MIME Header can cause IE to execute e-mail attachment' is what they need. Even then that article isn't clear, doesn't mention 'Klez' or viruses - the intention is to be obscure and minimize the company's responsibility.

It would be foolish to think that checking a simple version number on the Help | About screen would be enough. Sure they could setup their software so that you could simply say 'version nn.nnnn and above is safe' - but not Microsoft.

The possible IE 6 vulnerability mentioned above wasn't revealed by Microsoft until last September and even then is just footnote in their technical details. Most people would look at the list of vulnerable products at the top (only IE 5.01 and 5.5) and not realize they could be at risk.

Even under the heading 'Does this vulnerability affect IE 6?' it commences with an empathic 'No' and then proceeds to qualify that without getting near the specific point. You have to jump to another Knowledge Base article to find what you need, like the version of Outlook Express to look for,

Even that explanation isn't consistent with other parts of the MS web site. It lists Windows 95 as potentially vulnerable but elsewhere Windows 95 is omitted because it can't support an IE 6 upgrade!

So don't worry if you get confused, it's not you, it's the tangled web of versions, upgrades, updates and patches that Microsoft has foisted on you. Be reassured and more than a little scared that even the highly paid experts at Microsoft can't get the story straight.

Return to the Klez Index

The New Surveillance Society - EPIC - Watching the Watchers
News from the Electronic Privacy Information Center (EPIC) Washington, D.C.

EPIC's testimony is available at: http://www.epic.org/privacy/internet/s2201_
testimony.html

The "Online Privacy Protection Act," Senate Bill 2201 is available at:
http://thomas.loc.gov/cgi-bin/bdquery/z?d107:
s.02201:

A section-by-section analysis of the bill is available at:
http://www.epic.org/redirect/techlaw_redirect.html

Witness testimony is available at:
http://commerce.senate.gov/hearing
s/hearings0202.htm

The Federal Agency Protection of Privacy Act is available at: http://www.politechbot.com/docs/barr.privacy.
bill.042302.pdf

MPD's Draft General Order on CCTV Cameras is available at: http://www.dcwatch.com/police/020404.htm

Observing Surveillance:
http://www.observingsurveillance.org/

National Research Council Report, "IDs -- Not That Easy: Questions About Nationwide Identity Systems," is available at:
http://books.nap.edu/html/id_questions/

EPIC's Medical Privacy Page:
http://www.epic.org/privacy/medical/

The FEN statement is available at: http://www.freeexpression.org/patriotstmt.htm

Sen. Feingold's Senate floor statement on the USA PATRIOT Act (October 25, 2001) is available at: http://www.senate.gov/~feingold/releases/
01/10/102501at.html

For more information, see PI's Big Brother Awards Page:
http://www.privacyinternational.org/bigbrothe
r/us2002/

EPIC's National ID Card Page:
http://www.epic.org/privacy/id_cards/

EPIC's Face Recognition Page:
http://www.epic.org/privacy/facerecognition/

EPIC Bill Track: Tracking Privacy, Speech, and Cyber-Liberties Bills in the 107th Congress, is available at:
http://www.epic.org/privacy/bill_track.html

I do not allow organizations to use my name or to contact me to make solicitations other than as permitted in my Junkbusters Declaration.

Version Dec 7 Copyright � 2001 Larry Blaisdell