Two New IC's

Orin orin
Thu Apr 20 07:35:11 GMT 2000


This message contained a virus/worm.

See:

http://www.cai.com/virusinfo/virusalert.htm#wscript

Wscript.Kak.A (Also known as Kak.worm) 

  This is only the second time this type of virus has been seen in the wild. Basically, it used to be a Anti-Virus golden rule that you
  were safe to open Email as you could only be infected by opening the attachment. BubbleBoy, and now Wscript.Kak, have changed
  this as they are able to infect some PCs without the user opening the E-mail attachment. 

  Wscript.Kak is the second family of viruses to exploit a weakness in Internet Explorer 5.0 when it is installed onto a machine that is
  running Windows98. Those PCs that have Internet Explorer security settings set to medium or low can be automatically infected when
  the E-mail message is read. 

  When the message is opened, Wscript.Kak will store a copy of its worm code in the Windows statup directory in a file called
  "Kak.HTA". The worm will also write part of the worm code to a file called "Kak.HTM" in the system directory and creates the following
  registry key to ensure that it will be automatically loaded every time the PC is restarted. 

  The registry key is: "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\cAgOu"] 

  Once the worm is installed it will search to see if the user has set up different identities that can be used under Outlook Express 5.0. If
  they are found the worm will begin attaching a copy of itself to ALL the E-mails that are sent out by the user. 

  Payload: When the worm is activated, it checks the system date and will display the following message at 5 PM on the first of any
  month. 

  "Kagou-Anti-Kro$oft says not today !" 
  The worm then attempts to shut down Windows. 
  There are no deliberately destructive payloads in this virus. 
----------------------------------------------------------------------------
To unsubscribe from diy_efi, send "unsubscribe diy_efi" (without the quotes)
in the body of a message (not the subject) to majordomo at lists.diy-efi.org




More information about the Diy_efi mailing list