W32/Klez, again .

Source: "Threat Lab News"

New variants of W32/Klez, variously referred to as G,H,K has been spreading at a slow but steady rate since the first detected in the early hours yesterday. The worm is still making progress and may corrupt files.

The Subject of the predominant variant has been changed to include one of
the following semi-random strings:

Undeliverable mail--"[Random word]"
Returned mail--"[Random word]"
a [Random word] [Random word] game
a [Random word] [Random word] tool
a [Random word] [Random word] website
a [Random word] [Random word] patch
[Random word] removal tools

or the following fixed strings:

how are you
let's be friends
darling
so cool a flash,enjoy it
your password
honey
some questions
please try again
welcome to my hometown
the Garden of Eden
introduction on ADSL
meeting notice
questionnaire
congratulations
sos!
japanese girl VS playboy
look,my beautiful girl friend
eager to see you
spice girls' vocal concert
japanese lass' sexy pictures

Consequently, little can be hooked by lexical analysis. However, as a long shot, a few of these may be added to worm.txt without too great a risk of false positive results.

Attachment names and message body text are random.

Several anti-virus vendors detect the variant without the need for new signature updates. However, we suggest that you check the capabilities of your vendor and apply updates if necessary.

Links:
http://www.sophos.com/virusinfo/articles/klezh.html
http://[email protected]
http://www.f-secure.com/v-descs/klez_h.shtml
http://www.kaspersky.com/news.html?id=560839
http://www.viruslist.com/eng/viruslist.html?id=4292
http://vil.nai.com/vil/content/v_99455.htm
http://www.norman.no/virus_info/w32_klez_g_mm.shtml
http://antivirus.about.com/library/weekly/aa041702a.htm
http://www.messagelabs.com/viruseye/threatlist.asp