[NHCOLL-L:550] Norton Antivirus info on recent virus Wscript.KakWorm.html
Gerald Noonan
carabid at mpm.edu
Thu Apr 20 16:09:41 EDT 2000
If things work correctly, this message will have an attachment
which shows the Norton antivirus information about the recent virus. I've
also pasted in below text from the antivirus information page. If I
understand things correctly, if your antivirus system did not remove the
virus, and you read the e-mail, you may have the virus on your computer.
Although I'm not certain if the incoming virus requires (to be able to
install itself) that you have read the mail with Microsoft Outlook Express
or simply have on your computer a version of this program that is not
properly protected. It does seem very clear that you cannot conclude that
current normal operation of the computer means you are virus free. The
virus activates itself at 5 PM on the first of each month and sends
commands to your computer to stop running Windows.
VBS.KakWorm spreads using Microsoft Outlook Express. It attaches itself to
all outgoing messages via the Signature feature of Outlook Express and
Internet Explorer newsgroup reader.
The worm utilizes a known Microsoft Outlook Express security hole so that a
viral file is created on the system without having to run any attachment.
Simply reading the received email message will cause the virus to be placed
on the system.
Microsoft has patched this security hole. The patch is available from
Microsoft's website. If you have a patched version of Outlook Express, this
worm will not work automatically.
The worm appends itself to the end of legitimate outgoing messages as a
signature. When receiving the message, the worm will automatically insert a
copy of itself into the appropriate StartUp directory of the Windows
operating system for both English and French language versions. The file
created is named KAK.HTA.
The worm utilizes a known Microsoft Outlook Express security hole,
Scriptlet.Typelib, so that a viral file is created on the system without
having to run any attachment. Simply reading the received email message
will cause the virus to be placed on the system.
Microsoft has patched this security hole. The patch is available from
Microsoft's website. If you have a patched version of Outlook Express, this
worm will not work automatically.
HTA files are executed by current versions of Microsoft Internet Explorer
or Netscape Navigator. The system must be rebooted for this file to be
executed. Once executed, the worm modifies the registry key:
HKCU/Identities/<Identity>/Software/
Microsoft/Outlook/Express/5.0/signatures
in order to add its own signature file, which is the infected KAK.HTA file.
This causes all outgoing mail to be appended by the worm. In addition, the
registry key:
HKLM/Software/Microsoft/Windows/
CurrentVersion/Run/cAgOu
is added which causes the worm to be executed each time the computer is
restarted.
Finally, if it is the first of the month and the hour is 17 (5:00pm), the
following message is displayed:
Kagou-Anti-Kro$oft says not today!
and Windows is sent the message to shutdown.
Removal:
Delete the following file: KAK.HTA
Delete the following registry key:
HKLM/Software/Microsoft/Windows/
CurrentVersion/Run/cAgOu
Write-up by: Eric Chien
Dec 30, 1999
Tell a Friend about this Write
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.yale.edu/mailman/private/nhcoll-l/attachments/20000420/1434c632/attachment.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.yale.edu/mailman/private/nhcoll-l/attachments/20000420/1434c632/attachment-0001.html
-------------- next part --------------
*************************************************
* Gerald R. Noonan Ph.D., Curator of Insects, *
* Milwaukee Public Museum *
* 800 W.
Wells *
* Milwaukee, Wisconsin 53233 *
*
carabid at .mpm.edu *
* voice (414) 278-2762 *
* fax (414)
278-6100 *
*************************************************
More information about the Nhcoll-l
mailing list