Loading ...
Sorry, an error occurred while loading the content.

[infoguys-list] Re: VIRUS BEING SENTVIA THIS ...

Expand Messages
  • Neal B. Custer
    I have been monitoring the discussion about a virus or worm in the infoguys-list group. I had no reason to believe that I had picked it up, but just for
    Message 1 of 3 , Mar 17 7:20 AM
    • 0 Attachment
      I have been monitoring the discussion about a virus or worm in the
      "infoguys-list" group. I had no reason to believe that I had picked it up,
      but just for grins I checked in my Startup. I found a file "kak.hta". Is
      this what you have been talking about. What is it and what will it or has it
      done to my computer or files. How did I get it and who did I get it from?
      Is it just a matter of eracing it? I would appreciate any guidence you can
      offer. Thanks
    • Mike Coffey, Coffey Consulting
      Following is the information from Symantec regarding the kak.hta problem. Please note that if one is using an un-updated version of MS Outlook Express, one
      Message 2 of 3 , Mar 17 7:35 AM
      • 0 Attachment
        Following is the information from Symantec regarding the "kak.hta" problem.
        Please note that if one is using an un-updated version of MS Outlook
        Express, one can get the virus simply by reading the message.

        I highly recommend that everyone update their virus definitions at least
        once a week (I update my overnight on a daily basis).

        The source of this information is:
        http://www.symantec.com/region/uk/avcenter/venc/wscript_kakworm.html

        Regards,
        --COFFEY

        Wscript.KakWorm
        Detected as: Wscript.KakWorm
        Aliases: VBS.Kak.Worm, Kagou-Anti-Krosoft
        Infection Length: 4116 bytes
        Likelihood: Rare
        Detected on: Dec 27, 1999
        Region Reported: Europe
        Characteristics: 1st of any month at 5pm

        Description

        VBS.KakWorm is a worm, which spreads using Microsoft Outlook Express. The
        worm attaches itself to all outgoing messages via the Signature feature of
        Outlook Express. Signatures allow one to automatically append information at
        the end of all outgoing messages.

        The worm utilizes a known Microsoft Outlook Express security hole so that a
        viral file is created on the system without having to run any attachment.
        Simply reading the received email message will cause the virus to be placed
        on the system.

        Microsoft has patched this security hole already. If you have a patched
        version of Outlook Express, this worm will not affect them.

        Technical Description

        The worm appends itself to the end of legitimate outgoing messages as a
        signature. When receiving the message, the worm will automatically insert a
        copy of itself into the appropriate StartUp directory of the Windows
        operating system for both English and French language versions. The file
        created is named KAK.HTA.

        HTA files are executed by current versions of Microsoft Internet Explorer or
        Netscape Navigator.

        The system must be rebooted for this file to be executed. Once executed, the
        worm modifies the registry key:

        HKCU/Identities/<Identity>/Software/Microsoft/
        Outlook/Express/5.0/signatures
        in order to add its own signature file, which is the infected KAK.HTA file.
        This causes all outgoing mail to be appended by the worm.

        In addition, the registry key:

        HKLM/Software/Microsoft/Windows/CurrentVersion/
        Run/cAgOu
        is added which causes the worm to be executed each time the computer is
        restarted.

        Finally, if it is the first of the month and the hour is 17 (5:00pm), the
        following message is displayed:

        Kagou-Anti-Kro$oft says not today!

        and Windows is sent the message to shutdown.

        There is no other malicious payload.




        Write-up by: Eric Chien
        Dec 30, 1999


        -----Original Message-----
        From: Neal B. Custer [mailto:custer@...]
        Sent: Friday, March 17, 2000 9:21 AM
        To: infoguys-list@egroups.com
        Subject: [infoguys-list] Re: VIRUS BEING SENTVIA THIS ...


        I have been monitoring the discussion about a virus or worm in the
        "infoguys-list" group. I had no reason to believe that I had picked it up,
        but just for grins I checked in my Startup. I found a file "kak.hta". Is
        this what you have been talking about. What is it and what will it or has it
        done to my computer or files. How did I get it and who did I get it from?
        Is it just a matter of eracing it? I would appreciate any guidence you can
        offer. Thanks



        ------------------------------------------------------------------------
        The race is on! We've got the most comprehensive elections coverage
        for women. Get your election updates at
        http://click.egroups.com/1/1877/1/_/531/_/953306750/

        -- Talk to your group with your own voice!
        -- http://www.egroups.com/VoiceChatPage?listName=infoguys-list&m=1
      • Laura Wallace
        Neil, you need to got to Symantec.com and check out the AntiVirus Research Center, Look for Wscript.KakWorm and print it out. Do what it tells you to do to
        Message 3 of 3 , Mar 17 10:06 AM
        • 0 Attachment
          Neil, you need to got to Symantec.com and check out the AntiVirus Research
          Center, Look for Wscript.KakWorm and print it out. Do what it tells you to
          do to remove it....Down load from Microsoft a new patch for your Outlook
          Express and don't restart your computer until you do it all.
          I would be more than happy to help anyone with this...Call me
          941-366-8674 Laura Wallace
          I spent all day with this yesterday. Please everyone check your Start up to
          see if this is in your system. It is being constantly passed around through
          the group and you can get it by just reading your mail, not opening an
          attachment. It states that at the Research Center.

          ----- Original Message -----
          From: Neal B. Custer <custer@...>
          To: <infoguys-list@egroups.com>
          Sent: Friday, March 17, 2000 10:20 AM
          Subject: [infoguys-list] Re: VIRUS BEING SENTVIA THIS ...


          > I have been monitoring the discussion about a virus or worm in the
          > "infoguys-list" group. I had no reason to believe that I had picked it up,
          > but just for grins I checked in my Startup. I found a file "kak.hta". Is
          > this what you have been talking about. What is it and what will it or has
          it
          > done to my computer or files. How did I get it and who did I get it from?
          > Is it just a matter of eracing it? I would appreciate any guidence you can
          > offer. Thanks
          >
          >
          >
          > ------------------------------------------------------------------------
          > The race is on! We've got the most comprehensive elections coverage
          > for women. Get your election updates at
          > http://click.egroups.com/1/1877/1/_/531/_/953306750/
          >
          > -- Talk to your group with your own voice!
          > -- http://www.egroups.com/VoiceChatPage?listName=infoguys-list&m=1
          >
          >
        Your message has been successfully submitted and would be delivered to recipients shortly.