There are some REAL mean script viruses out there these days that embed in HTML...
Everyone's best bet is to go to Microsoft's website and get the numerous patches that are available. People with dial-up modems are especially at risk for a very unique virus embedded on some linked auto pop-up websites that 1) drop a script into your /windows/ directory, 2) execute this script which 3) disconnects you from the internet and 4) dials up to a foreign country. This script is often masked by an "infinite" number of websites which pop up and cascade across your screen, keeping you distracted while the real script is executing. Theoretically, one can program a time-based executable script that would wait until, say 3:00am when you are deep asleep to dial out. I think the initial idea behind the "infinite" pop-up windows was to crash Norton and McAfee's auto-protect feature, lock up internet explorer and force you to reboot the machine. In fact, I don't think I've installed ANY of the patches on this new machine! When you install the internet explorer patch, the "virus" still drops into your windows dir and it still tries to run, but the patch prevents the script from actually executing. The Outlook patch does the same thing. ----- Original Message ----- From: M. G. Devour <mdev...@eskimo.com> To: <silver-list@eskimo.com> Sent: Sunday, March 25, 2001 6:36 AM Subject: CS>Virus Alerrt -- List Owner Analysis > Brita wrote: > > I thought Mike D had put in a fix for it already. Yikes, what an ugly > > bug showed up on my screen. But not for long. > > Okay, it took me a while to find out where this bug came from. Yes, it > was the post from Nancy, dbl...@cfl.rr.com, to the "Personal > Experience Update" thread. > > The bug is an embedded Visual Basic script in the HTML portion of > Nancy's e-mail. > > She's using Microsoft Outlook Express and has HTML formatting turned > on. This allows Outlook to embedd one copy of the message in one part > of the MIME multipart message, labeled "Content-Type: text/plain" ... > > ... followed by another copy of her message identified as > "Content-Type: text/html" ... this one formatted in HTML, which adds > *LOTS* of size and no informational value to her message, but allows > her to use bold, italics, various fonts and character sizes, colors > and whatever, if she chooses. > > Unfortunately, HTML formatting also permits the message to contain an > executable script, embedded invisibly right along with the text of her > message, contained within <script>... </script> tags. Everything in > between appears to my untrained eye to be a Visual Basic Script > ActiveX control which seems, at least, to modify autoexec.bat and add > lines to the registry. > > I also understand from further study that it mucks around with Outlook > Express settings as well, making a copy of itself the default signature > file for messages you send out using Outlook, thus assuring its > propagation to other systems. > > You can get more info about this worm at the following URL: > > http://www.antivirus.com/pc-cillin/vinfo/ > > Kakworm is one of the "top 10 viruses" in the list, or you can enter > kakworm.a in the search window... > > Brita wrote: > > I thought Mike D had put in a fix for it already. > > I've blocked parts of a multipart message which contain executables, > batch files, scripts and the like. I haven't done anything to block > embedded scripts like this. In fact it's the first example I've seen of > the fabled "malicious HTML" they've always warned us about. > > I didn't get the bug because my mail reader always asks if I want to > view HTML messages in the browser or as plain text. I always choose > text. Outlook Express users are not so lucky, as the default > configuration displays the message in the "preview" window, which, due > to a gaping security flaw, actually allows the script to execute and > infect the system. > > I believe that the most current updates to Outlook Express and > Internet Explorer plug this security hole, but everybody who has *not* > visited the Microsoft Update web site on a regular basis is still > vulnerable (which I imagine is most people). > > Can anybody give us concise instructions for upgrading our security > settings to make it less likely to catch this sort of bug? > > I'll start doing some digging to see if I can find or build a procmail > script to strip out embedded scripts from HTML, or maybe tackle the > job of dumping HTML entirely, tho that's a whole 'nuther level of > complexity, so I hear, given the inglorious profusion of incompatible > variations on all the standards. > > Once again, this foolishness is brought to you by the highly competent > and skilled programmers at Microsoft... <sigh> > > Be well, > > Mike Devour > silver-list owner > > [Mike Devour, Citizen, Patriot, Libertarian] > [mdev...@eskimo.com ] > [Speaking only for myself... ] > > > -- > The silver-list is a moderated forum for discussion of colloidal silver. > > To join or quit silver-list or silver-digest send an e-mail message to: > silver-list-requ...@eskimo.com -or- silver-digest-requ...@eskimo.com > with the word subscribe or unsubscribe in the SUBJECT line. > > To post, address your message to: silver-list@eskimo.com > Silver-list archive: http://escribe.com/health/thesilverlist/index.html > List maintainer: Mike Devour <mdev...@eskimo.com> > >
