HomeSite Help - Blog Special Report #1

---

KLEZ history: January 2002 - July 2002

This graph shows my personal "observations" of emails sent by the KLEZ virus, starting with the first email received on 29 January 2001, and ending with 28 July 2002 when I stopped retrieving any mail from the account that was receiving practically all of it (and apart from that, only spam); this implies that the observations for 28 July are not complete since I stopped retrieving that email in the early evening, not at midnight: there would probably have been a few more that day.

The graph contains "stacked" counts for two groups of observations: mails sent by the virus to me (reddish colors) and mails sent out by the virus to someone else but with my address in the From: header, and which were brought to my attention in one way or another (blueish colors). The categories I used in detail:

• Virus as attachment: mail received with the virus present as attachment
• Attachment lost on the way: mail received without an attachment but otherwise having the clear signature of a KLEZ email; either the sender's mail server or an intermediate node has been running anti-virus software and removed the attachment, or (not uncommon in a corporate environment) simply refuses to send out executable files
• Attachment of mail not delivered: similar to the above, except I received an explanation from the filtering software; sometimes only the attachment is removed, sometimes it's just a notification that a mail was sent, but not delivered.
• Me regarded as sender: usually a notice from anti-virus software on the mail server on the receiving end that "my" mail was refused because it contained a virus, or (very rarely) a complaint by an individual
• Autoreply: some receivers have customer service or support departments that have set up an autoreply; the autoreply served as a notice to me that a KLEZ virus had been sent "by me". (I have no idea why this didn't happen until 8 June; after that it occurs fairly regularly.)

Until about mid April, there are only occasional observations, sometimes more than a week without a single one. Then suddenly the amount of emails increases dramatically, with only a slight leveling off after the seeming maximum in May. July seems to have a slightly lower level than June, but there still is no obvious downward trend: I fear this virus will keep doing the rounds for many more months. I had planned to keep observing until the mails would decrease significantly, but by the end of July there was still no sign even of a slight downward trend - I'm afraid I just gave up.

Why the sudden increase mid April? I've seen no official explanation. Personally, I think many people fell into the trap of a new form of KLEZ emails (one of the ways KLEZ.H manifests itself) that appeared around that time with a subject like "Worm Klez.E immunity" and a body text like this:

Klez.E is the most common world-wide spreading worm.It's very dangerous by corrupting your files. Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it. We developed this free immunity tool to defeat the malicious virus. You only need to run this tool once,and then Klez will never come into your PC.
NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV monitor maybe cry when you run it. If so,Ignore the warning,and select 'continue'. If you have any question,please mail to me.

A clever bit of social engineering, and I fear many people fell for it. The first KLEZ mail of this form I received arrived on 18 April. And as you can see on the graph, it was precisely on 18 April that the number of emails received suddenly shot up, until a peak was reached early May with 32 mails on a single day. And according to Symantec, the 'H' variant of KLEZ was discovered on 17 April...

For some more background, see 'Hiding from viruses - Intermezzo' in the General Blog. Detail graphs per month can be found here:

• January 2002 (starting 29 January)
• February 2002
• March 2002
• April 2002
• May 2002
• June 2002
• July 2002 (ending 28 July)

---

© Copyright 2002-2010 Marjolein Katsma. All rights reserved.

Site hosted by