Greetings, acid-jazz@ucsd.edu
I thought you would be interested in knowing about this computer virus...
Virus Name: JS/Kak@M
Virus Characteristics:
<B><A
href="http://download.nai.com/products/mcafee-avert/JsKak.htm">In-depth
details of JS/Kak@M</A></B></P>
This worm was first discovered by AVERT in October 1999 and added
detection for it within 4051 DAT updates. Virus Patrol, a newsgroup
scanning program from NAI, continues to identify occurrences of this
Internet worm in newsgroup postings which is an indication that worm is
continuing to spread. AVERT recommends <B>adding ".HT?"</B> to file
extensions scanned for protection, and also ensure users have <B>installed
the security patch from Microsoft mentioned below</B>.
nother dangerous aspect of this Internet worm is the ability to
continuously re-infect yourself if the <B>preview pane is enabled</B> and
you browse between folders specifically the "sent" folder which happens to
contain the Internet worm within a message. This is another strong reason
to <B>update to the security patch</B>, if not already.*
his is an Internet worm which uses JavaScript and an ActiveX control,
called "Scriptlet Typelib", to propagate itself through email using MS
Outlook Express. This worm consists of 3 components, an HTA file (HTML
Application), a REG file (Registration Entries Update) and a BAT file
(MS-DOS Batch).
hen an e-mail or newsgroup message infected by this worm is opened by a
reader which supports Javascript in HTML, the script checks to see if MS
Internet Explorer 5 or higher is installed. If it is, using an ActiveX
exploit known as "Scriptlet TypeLib", the script writes the KAK.HTA file
to the Startup folder of the local machine. This will launch the code
embedded in the HTA file at the next Windows startup. Microsoft has
published a security update which addresses this ActiveX exploit and users
are encouraged to update their systems with this component. With this
update installed, users are questioned if they wish to run the ActiveX
control which "might be unsafe".
or more details on this vulnerability and to obtain a patch from
Microsoft, <B>see this link</B>:<BR><A
href="http://www.microsoft.com/security/bulletins/ms99-032.asp">Microsoft
Security Bulletin</A>
or current security bulletins from Microsoft, see this link:<BR><A
href="http://www.microsoft.com/security/bulletins/current.asp">Current
Bulletins</A>.
mail messages written in HTML format will be coded with the Internet worm
on infected systems due to the default signature modification on infected
systems. The email application Outlook is a target of this Internet worm
for propagation due to its support for HTML format messages. If an email
message is coded with the worm code and it is allowed to run, files are
written to the local machine in different locations-
:\windows\kak.htm<BR>c:\windows\system\(name).hta
ak.hta is written to either folder:<BR>French Windows<BR>c:\windows\Menu
D&amp;amp;amp;amp;amp;amp;#233marrer\Programmes\D&amp;amp;amp;amp;
amp;amp;#233marrage\
nglish Windows<BR>c:\windows\Start Menu\Programs\StartUp\
n the above list, "(name)" is a seemingly random 8 character name (e.g.
98278AE0.HTA) however it is related directly to a registry entry.
his worm first copies the original AUTOEXEC.BAT file to AE.KAK. Then the
AUTOEXEC.BAT file is modified to overwrite the file KAK.HTA and then
delete it from the StartUp folder. The system registry is also modified
when the script executes a shell registry update using regedit and the REG
file written to the local system. The registry modification is this-
KLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run<BR>cAg0u =
"C:\WINDOWS\SYSTEM\(name).hta"
he entry "(name)" is an 8 character name (e.g. 98278AE0.HTA).
he email spreading method is possible by a registry modification which
adds a signature to MS Outlook. The signature is set to include the file
"C:\WINDOWS\kak.htm" and is set as the default signature such that the
worm is spread on all outgoing email if the signature is included.
inally this worm also has a payload which is date activated.
n the 1st of the month, and beginning from 6PM local time, a message is
displayed:
Kagou-Anti-Kro$oft says not today!"
To check your system for this virus, and to learn how to protect yourself
from computer viruses, visit the McAfee PC Clinic at
http://clinic.mcafee.com.
This email was sent to you by Jeroen van der Ent
This archive was generated by hypermail 2b30 : Sat Dec 02 2000 - 16:15:53 CET