Computer Virus Alert!

From: jvdent@xs4all.nl
Date: Sat Dec 02 2000 - 15:59:58 CET

  • Next message: Paulo Fonseca: "New show on-line"

    Greetings, acid-jazz@ucsd.edu

    I thought you would be interested in knowing about this computer virus...

    Virus Name: JS/Kak@M

    Virus Characteristics:
    <B><A
    href="http://download.nai.com/products/mcafee-avert/JsKak.htm">In-depth
    details of JS/Kak@M</A></B></P>
    This worm was first discovered by AVERT in October 1999 and added
    detection for it within 4051 DAT updates. Virus Patrol, a newsgroup
    scanning program from NAI, continues to identify occurrences of this
    Internet worm in newsgroup postings which is an indication that worm is
    continuing to spread. AVERT recommends <B>adding ".HT?"</B> to file
    extensions scanned for protection, and also ensure users have <B>installed
    the security patch from Microsoft mentioned below</B>.
    nother dangerous aspect of this Internet worm is the ability to
    continuously re-infect yourself if the <B>preview pane is enabled</B> and
    you browse between folders specifically the "sent" folder which happens to
    contain the Internet worm within a message. This is another strong reason
    to <B>update to the security patch</B>, if not already.*
    his is an Internet worm which uses JavaScript and an ActiveX control,
    called "Scriptlet Typelib", to propagate itself through email using MS
    Outlook Express. This worm consists of 3 components, an HTA file (HTML
    Application), a REG file (Registration Entries Update) and a BAT file
    (MS-DOS Batch).
    hen an e-mail or newsgroup message infected by this worm is opened by a
    reader which supports Javascript in HTML, the script checks to see if MS
    Internet Explorer 5 or higher is installed. If it is, using an ActiveX
    exploit known as "Scriptlet TypeLib", the script writes the KAK.HTA file
    to the Startup folder of the local machine. This will launch the code
    embedded in the HTA file at the next Windows startup. Microsoft has
    published a security update which addresses this ActiveX exploit and users
    are encouraged to update their systems with this component. With this
    update installed, users are questioned if they wish to run the ActiveX
    control which "might be unsafe".
    or more details on this vulnerability and to obtain a patch from
    Microsoft, <B>see this link</B>:<BR><A
    href="http://www.microsoft.com/security/bulletins/ms99-032.asp">Microsoft
    Security Bulletin</A>
    or current security bulletins from Microsoft, see this link:<BR><A
    href="http://www.microsoft.com/security/bulletins/current.asp">Current
    Bulletins</A>.
    mail messages written in HTML format will be coded with the Internet worm
    on infected systems due to the default signature modification on infected
    systems. The email application Outlook is a target of this Internet worm
    for propagation due to its support for HTML format messages. If an email
    message is coded with the worm code and it is allowed to run, files are
    written to the local machine in different locations-
    :\windows\kak.htm<BR>c:\windows\system\(name).hta
    ak.hta is written to either folder:<BR>French Windows<BR>c:\windows\Menu
    D&amp;amp;amp;amp;amp;amp;amp;#233marrer\Programmes\D&amp;amp;amp;amp;amp;
    amp;amp;#233marrage\
    nglish Windows<BR>c:\windows\Start Menu\Programs\StartUp\
    n the above list, "(name)" is a seemingly random 8 character name (e.g.
    98278AE0.HTA) however it is related directly to a registry entry.
    his worm first copies the original AUTOEXEC.BAT file to AE.KAK. Then the
    AUTOEXEC.BAT file is modified to overwrite the file KAK.HTA and then
    delete it from the StartUp folder. The system registry is also modified
    when the script executes a shell registry update using regedit and the REG
    file written to the local system. The registry modification is this-
    KLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run<BR>cAg0u =
    "C:\WINDOWS\SYSTEM\(name).hta"
    he entry "(name)" is an 8 character name (e.g. 98278AE0.HTA).
    he email spreading method is possible by a registry modification which
    adds a signature to MS Outlook. The signature is set to include the file
    "C:\WINDOWS\kak.htm" and is set as the default signature such that the
    worm is spread on all outgoing email if the signature is included.
    inally this worm also has a payload which is date activated.
    n the 1st of the month, and beginning from 6PM local time, a message is
    displayed:
    Kagou-Anti-Kro$oft says not today!"

    To check your system for this virus, and to learn how to protect yourself
    from computer viruses, visit the McAfee PC Clinic at
    http://clinic.mcafee.com.

    This email was sent to you by Jeroen van der Ent



    This archive was generated by hypermail 2b30 : Sat Dec 02 2000 - 16:15:53 CET