W32/Klez, again .
Source: "Threat Lab News"
New variants of W32/Klez, variously referred to as G,H,K has been spreading at a slow but steady rate since the first detected in the early hours yesterday. The worm is still making progress and may corrupt files.
The Subject of the predominant variant has been changed to include one of
the following semi-random strings:
Undeliverable mail--"[Random word]"
Returned mail--"[Random word]"
a [Random word] [Random word] game
a [Random word] [Random word] tool
a [Random word] [Random word] website
a [Random word] [Random word] patch
[Random word] removal tools
or the following fixed strings:
how are you
let's be friends
so cool a flash,enjoy it
please try again
welcome to my hometown
the Garden of Eden
introduction on ADSL
japanese girl VS playboy
look,my beautiful girl friend
eager to see you
spice girls' vocal concert
japanese lass' sexy pictures
Consequently, little can be hooked by lexical analysis. However, as a long shot, a few of these may be added to worm.txt without too great a risk of false positive results.
Attachment names and message body text are random.
Several anti-virus vendors detect the variant without the need for new signature updates. However, we suggest that you check the capabilities of your vendor and apply updates if necessary.