-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello Marck,
Monday, December 25, 2000, 8:20:20 PM, you wrote:
MDP> Hi Allie,
MDP> On 26 December 2000 at 19:31:54 -0500 (which was 00:31 where I
MDP> live) A . Curtis Martin wrote and made these points:
ACM>> I don't think Marck is or ever was saying that anti-virus
ACM>> software is superfluous. He was simply saying that TB! will not
ACM>> infect your machine with a virus unless you specifically
ACM>> intervene by running the virus. TB! will not execute malicious
ACM>> java script in HTML e-mail. That's all he was saying.
.
This may be totally off topic, It still goes to a security hole in
outlook express but this is a virus that does not have to be executed
by clicking. Just reading with outlook activates the virus - sorry if
MDP>
MDP> Wscript.KakWorm
MDP> VBS.KakWorm spreads using Microsoft Outlook Express. It attaches
itself to all outgoing messages via the Signature feature of Outlook
Express and Internet Explorer newsgroup reader.
MDP>
MDP> The worm utilizes a known Microsoft Outlook Express security
hole so that a viral file is created on the system without having to
run any attachment. Simply reading the received email message will
cause the virus to be placed on the system.
MDP>
MDP> Microsoft has patched this security hole. The patch is available
from Microsoft's website. If you have a patched version of Outlook
Express, this worm will not work automatically.
MDP>
MDP> Click here to download tool to repair Wscript.Kakworm damage
MDP>
MDP> Also known as: VBS.Kak.Worm, Kagou-Anti-Krosoft
MDP>
MDP> Category: WORM
MDP>
MDP> Infection length: 4116 Bytes
MDP>
MDP> Virus definitions: December 30, 1999
MDP>
MDP> Threat assessment:
MDP>
MDP>
MDP> Damage:
MDP> MEDIUM Distribution:
MDP> HIGH Wild:
MDP> HIGH
MDP>
MDP>
MDP> Wild
MDP>
MDP> Number of infections: More than 1000
MDP> Number of sites: 3-10
MDP> Geographical Distribution: High
MDP> Threat containment: Medium
MDP> Removal: Medium
MDP> Damage
MDP>
MDP> Payload: Modifies the registry keys and shuts down Windows
MDP> Payload trigger: First of any month at 5pm
MDP> Degrades performance: Shuts Down Windows
MDP> Distribution
MDP>
MDP> Size of Attachment: 4116 bytes
MDP> Target of infection: Microsoft Outlook Express, Internet
Explorer Usenet Newsreader
MDP> Technical description
MDP>
MDP> The worm appends itself to the end of legitimate outgoing
messages as a signature. When receiving the message, the worm will
automatically insert a copy of itself into the appropriate StartUp
directory of the Windows operating system for both English and French
language versions. The file created is named KAK.HTA.
MDP>
MDP> The worm utilizes a known Microsoft Outlook Express security
hole, Scriptlet.Typelib, so that a viral file is created on the
system without having to run any attachment. Simply reading the
received email message will cause the virus to be placed on the
system.
MDP>
MDP> Microsoft has patched this security hole. The patch is available
from Microsoft's website. If you have a patched version of Outlook
Express, this worm will not work automatically.
MDP>
MDP> HTA files are executed by current versions of Microsoft Internet
Explorer or Netscape Navigator. The system must be rebooted for this
file to be executed. Once executed, the worm modifies the registry
key:
MDP>
MDP>
MDP> HKCU/Identities/<Identity>/Software/
MDP> Microsoft/Outlook/Express/5.0/signatures
MDP>
MDP> in order to add its own signature file, which is the infected
KAK.HTA file. This causes all outgoing mail to be appended by the
worm. In addition, the registry key:
MDP>
MDP>
MDP> HKLM/Software/Microsoft/Windows/
MDP> CurrentVersion/Run/cAgOu
MDP>
MDP> is added which causes the worm to be executed each time the
computer is restarted.
MDP>
MDP> Finally, if it is the first of the month and the hour is 17
(5:00pm), the following message is displayed:
MDP>
MDP>
MDP> Kagou-Anti-Kro$oft says not today!
MDP>
MDP> and Windows is sent the message to shutdown.
MDP>
MDP> Removal:
MDP>
MDP> Please click here for removal instructions.
MDP>
MDP>
MDP>
MDP> Write-up by: Eric Chien
MDP> Dec 30, 1999
MDP>
MDP> Tell a Friend about this Write-Up
MDP>
this is rather long and drawn out for my first post.
- --
Best regards,
John mailto:[EMAIL PROTECTED]
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5i
iQA/AwUBOkf6ZsApKueQa7yhEQIWigCg7NH4Npx3ss5Ouoa/SQGvmLoXJ/AAn04h
p6+gPKrlbnCgRZwerKI8I/Df
=Ae0m
-----END PGP SIGNATURE-----
--
--------------------------------------------------------------
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To send a message to the list moderation team double click here:
<mailto:[EMAIL PROTECTED]>
To Unsubscribe from TBUDL, double click here and send the message:
<mailto:[EMAIL PROTECTED]>
--------------------------------------------------------------
You are subscribed as : archive@jab.org
