Virus (online quoting from stl files)

From: Jim Vander Linden (jimvl@encortech.com)
Date: Wed May 03 2000 - 23:10:28 EEST


Online Quoting from stl files..........RP Solutions

This is the message that I received back from our IS Group.

http://www.cai.com/virusinfo/virusalert.htm#wscript

Wscript.Kak.A (Also known as Kak.worm)

This is only the second time this type of virus has been seen in the wild.
Basically, it used to be a Anti-Virus golden rule that you were safe to open
Email as you could only be infected by opening the attachment. BubbleBoy,
and now Wscript.Kak, have changed this as they are able to infect some PCs
without the user opening the E-mail attachment.

Wscript.Kak is the second family of viruses to exploit a weakness in
Internet Explorer 5.0 when it is installed onto a machine that is running
Windows98. Those PCs that have Internet Explorer security settings set to
medium or low can be automatically infected when the E-mail message is read.

When the message is opened, Wscript.Kak will store a copy of its worm code
in the Windows statup directory in a file called "Kak.HTA". The worm will
also write part of the worm code to a file called "Kak.HTM" in the system
directory and creates the following registry key to ensure that it will be
automatically loaded every time the PC is restarted.

The registry key is:
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\cAgOu"]

Once the worm is installed it will search to see if the user has set up
different identities that can be used under Outlook Express 5.0. If they are
found the worm will begin attaching a copy of itself to ALL the E-mails that
are sent out by the user.

Payload: When the worm is activated, it checks the system date and will
display the following message at 5 PM on the first of any month.

"Kagou-Anti-Kro$oft says not today !"
The worm then attempts to shut down Windows.
There are no deliberately destructive payloads in this virus.
Jim Vander Linden
RP Coordinator
Encor Technologies, Inc
1339 Continental Dr.
Eau Claire, WI 54701
715.834.6800 Phone
715.834.7809 Fax
jvanderlinden@encortech.com

For more information about the rp-ml, see http://ltk.hut.fi/rp-ml/



This archive was generated by hypermail 2.1.2 : Tue Jun 05 2001 - 23:03:23 EEST