Worm Threat Appears to be Contained

Symantec says it considers the Klez.e worm a relatively low threat, though a spokesperson says the company has received many calls from clients who have encountered it.

The worm was set to cause havoc on Wednesday, according to several well-publicized alerts. But for the most part, damage doesn't seem to be widespread. Nonetheless, Symantec upgraded the risk factor from a level two to a three out of a possible five because so many clients had encountered it.

The worm can delete files, halt the work of security programs, and spread itself when an infected e-mail is opened. According to Symantec's alert, the worm exploits a vulnerability in Microsoft Outlook and Outlook Express as it tries to execute itself when a message is opened in which it is contained.

While there seems to heightened public awareness of these kind of attacks, Vincent Weafer, a senior director at Cupertino, California-based Symantec, says there aren't many more viruses or worms than in recent years. About seven new viruses or worms enter the world every day, which is only up from five per day a few years ago.

"It is increasing very slowly," Weafer says. "At any given time there are between 200 to 250 viruses in the wild. But [the numbers] have been growing very slowly over the last couple of years."

Lasting Longer

Weafer says the greater connectivity and the widespread use of Digital Subscriber Lines tend to lead to the perception that there are more attacks being launched than ever before. He says that because there are more people using the global connectivity of the Web, viruses tend to hang around longer, which also leads to the perception that there are more of them.

As for why so many worms seem to target Outlook, he says it's a simple case of "hammering a known vulnerability." As more people deploy patches, attackers will use other paths. He also thinks that more attackers will rely less on social engineering to spread viruses and try to make the viruses themselves look for ways to spread.

The Klez.e worm's use of its Simple Mail Transfer Protocol engine is an example of this, Weafer says.

Marty Lindner, team leader for incident handling at the CERT Coordination Center at Carnegie Mellon University in Pittsburgh, says he hasn't heard much about the Klez.e worm. CERT hasn't issued an alert or a bulletin, he says.