To: Seafood Mailing List
Fr: Pamela Tom, UC Davis, Sea Grant Extensin Program
This morning I received an error notice informing me that a worm was
attached to Richard Chiver's 4/15/00 inquiry on "The Sounds Fish Make".
A worm is CONTAINED IN his MESSAGE. Readers using MS OUTLOOK are
especially vulnerable to the worm and need to HEED guidelines from Mcafee
(see below).
Below is information that I obtained via
http://vil.mcafee.com/dispVirus.asp?virus_k=10509 which explains what the
worm is and how to remove it.
Virus Name: WScript/Kak.worm
Virus Characteristics:
This worm was first discovered by AVERT in December and added detection
for it within 4051 DAT updates. Virus Patrol, a newsgroup scanning program
from NAI, continues to identify occurrences of this Internet worm in
newsgroup postings which is an indication that worm is continuing to
spread. AVERT recommends adding ".HTA" to file extensions scanned for
protection, and also ensure users have installed the security patch from
Microsoft mentioned below.
Another dangerous aspect of this Internet worm is the ability to
continuously re-infect yourself if the preview pane is enabled and you
browse between folders specifically the "sent" folder which happens to
contain the Internet worm within a message. This is another strong reason
to update to the security patch, if not already.*
This is an Internet worm which uses ActiveX and Windows Scripting Host to
propagate itself through email using MS Outlook. This worm consists of 3
components, an HTA file (HTML for Applications), a REG file (Registration
Entries Update) and a BAT file (MS-DOS Batch).
The method used to integrate these components is to have first composed an
email message in HTML which supports scripting. Using an ActiveX exploit
known as "Scriptlet TypeLib", the script writes an HTA file to the local
machine, typically in the startup folder. This will launch the code
embedded in the HTA file at the next Windows startup. Microsoft has
published a security update which addresses this ActiveX exploit and users
are encouraged to update their systems with this component. With this
update installed, users are questioned if they wish to run the ActiveX
control which is marked "safe for scripting".
For more details on this vulnerability and to obtain a patch from
Microsoft, see this link:Microsoft Security Bulletin
For current security bulletins from Microsoft, see this link:Current
Bulletins.
Email messages written in HTML format will be coded with the Internet worm
on infected systems due to the default signature modification on infected
systems. The email application Outlook is a target of this Internet worm
for propagation due to its support for HTML format messages. If an email
message is coded with the WScript/Kak.worm code and it is allowed to run,
files are written to the local machine in different locations-
c:\windows\kak.htm
c:\windows\system\(name).hta
c:\windows\Menu Démarrer\Programmes\Démarrage\kak.hta
c:\windows\Start Menu\Programs\StartUp\kak.hta
In the above list, "(name)" is a random 8 character name (e.g.
98278AE0.HTA). The path name of "Démarrage" gives us an indication that
its origin is France with target installations of French Windows 9x
operating systems; the secondary path targets English installations.
The AUTOEXEC.BAT file is modified to run the file KAK.HTA and then delete
it from its folder location. The system registry is also modified when the
script executes a shell registry update using regedit and the REG file
written to the local system. The registry modification is this-
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
cAg0u = "C:\WINDOWS\SYSTEM\(name).hta"
The entry "(name)" is a random 8 character name (e.g. 98278AE0.HTA).
The email spreading method is possible by a registry modification which
adds a signature to MS Outlook. The signature is set to include the file
"C:\WINDOWS\kak.htm" and is set as the default signature such that the
worm is spread on all outgoing email if the signature is included.
The contents of the HTM file are just a small file which consists of
script to run the KAK.HTA file which already exists on the target machine.
The code looks specifically for browser versions IE5 or NetScape Navigator
higher than v4.0. Finally this worm also has a payload which is date
activated.
On the 1st of the month, and beginning from 6PM local time, a message is
displayed:
"Kagou-Anti-Kro$oft says not today!"
--------------------------------------------------------------
This is the Seafood HACCP Discussion Group. Information is
available on the web at:
http://seafood.ucdavis.edu/listserv/Listserv.htm
For inquiries on subscribing to the list, e-mail: pdtom@ucdavis.edu
To subscribe, e-mail listproc@ucdavis.edu with the message:
subscribe seafood [your first name] [your last name]
To unsubscribe, e-mmail listproc@ucdavis.edu with the message:
unsubscribe seafood
Files are now archived at:
http://listproc.ucdavis.edu/archives/seafood/
--------------------------------------------------------------
This archive was generated by hypermail 2b29 : Sat Apr 15 2000 - 10:07:31 PDT