Aliz: The Second Attempt Finds Fertile Ground

20 Nov 2001
Virus News

Aliz, the Internet worm detected in May, has brought forth an epidemic

Kaspersky Lab, an international data-security software developer, warns users about the active spreading of the Internet worm, "Aliz." Reports of infection by this worm already have been reported in many countries throughout the world.

The worm's malicious code is spread via the Internet as an infected file attached to e-mail. The worm is a Windows attachment about 4K in length. An infected message contains:

Subject: varying
Body: empty HTML message
Attach: whatever.exe

The worm launches itself by taking advantage of a security flaw in the IFRAME e-mail client in the same way as the "Nimda" Internet worm. At the same time, the infected enclosure is automatically activated upon reading or viewing a message.

When an infected file is run, the unpacking routine takes control, unpacks the main worm code into the memory and jumps to it. The main code then sends infected messages to e-mail addresses found in WAB (Windows Address Book). To send e-mails, the worm connects by default to the SMTP server. The worm does not install itself to the system, and is not activated anymore, except in cases when a user clicks on an attached e-mail again. Namely, the worm is "one-time-only," and does not reveal its presence in the system. The worm's e-mail-spreading routine has several mistakes and flaws; therefore, it is incapable of spreading on the majority of e-mail client-server configurations.

"It is amazing that this virus could cause such a serious epidemic a full 6 months after having been detected. The reason for this is simple: users, as before, continue not to pay attention to the most basic computer-safety principles, falling in the same trap time and again. It is obvious that the many virus epidemics to date have not taught a basic lesson: a user should be extra careful with e-mail and install the proper patches thwarting security flaws in programs being used in a timely fashion," commented Eugene Kaspersky, Head of Anti-Virus research at Kaspersky Lab.

"Aliz" was detected and added to the Kaspersky Anti-Virus database on May 25, 2001. It is not necessary to update the anti-virus database in order to detect the latest "Aliz" version.