kak.hta virus

Bob Carner rscarner at VT.EDU
Thu Jun 1 08:24:28 EDT 2000 

Randal, et al,
        In regards to the large number of virus' that have been written over the last 18 months, notice that almost every one of them depend on the complete MicroSoft suite to function properly. For most of them (not ALL, though), the common tie is Outlook and the Visual Basic Script engine.
        Working at a University and administering a number of computers, I see this problem all the time. Our University Email folks are very aggressive towards these virus' and eliminate the bulk of these virus' before they enter the campus environment. But I've found the easiest method to prevent infections is to simply break the MicroSoft suite and remove Outlook (and Internet Explorer 5.0). I personally use Eudora and Netscape specifically because of this and COMPLETELY remove Outlook and Internet Explorer (or never install them). I then remove the file associations to several file extensions (VBS,VBE,WSF,WSH,JS and JSE). This prevents infected attachments from 'working' as Windows doesn't know how to execute the attachment. You may receive the virus, but it can do no harm. There is a small program from Cerberus named vf.exe at http://www.cerberus-infosec.co.uk/vf.exe that will remove these extensions from Windows. Takes about 30 seconds to run and the program is free.
        Obviously, if you are working in an intergated office environment that depends upon Outlook or you write software/macro's using the Visual Basic Script Engine this WILL NOT WORK FOR YOU.
        As always, the best protection is a good Anti-Virus package. I use Nortons Antivirus, enable the 'Atuomatic Update' feature and schedule updates weekly.

ABOUT THE VIRUS...
from http://www.symantec.com/avcenter/venc/data/wscript.kakworm.html
        Virus Description:
Wscript.KakWorm

VBS.KakWorm spreads using Microsoft Outlook Express. It attaches itself to all outgoing messages via the Signature feature of Outlook Express and Internet Explorer newsgroup reader. The worm utilizes a known Microsoft Outlook Express security hole so that a viral file is created on the system without having to run any attachment. Simply reading the received email message will cause the virus to be placed on the system. Microsoft has patched this security hole. The patch is available from Microsoft's website. If you have a patched version of
Outlook Express, this worm will not work automatically.
Also known as: VBS.Kak.Worm, Kagou-Anti-Krosoft
Category: WORM
Infection length: 4116 Bytes


OUTLOOK PATCH INFO (I forgot where I got this info)...
Severe Windows Security Bug and Fix
This bug is quite bad, and has been known since last year. It became more
of an issue after somebody figured out you could exploit it to propagate
computer infections in the same manner as the ILOVEYOU worm, only with much
more destructive results. Any PC running Internet Explorer 5.0 and/or Office
 2000 can be attacked with e-mail attachments, even if the recipient does
not open said attachments. You don't even have to be using Internet Explorer:
 just having it installed with default security settings makes you vulnerable
. The techies among you can see the horror of the situation. Fortunately, a
fix will patch the hole in under five minutes. Make sure all the Windows
machines in your care apply the patch immediately. Incidentally, Microsoft
has finally responded to this class of e-mail-delivered worms by redesigning
how the Outlook e-mail client deals with attachments. PCWorld has the story.

Bug:  http://www.microsoft.com/technet/security/bulletin/ms99-032.asp
 Fix:  http://www.microsoft.com/msdownload/iebuild/scriptlet/en/scriptlet.htm
 Outlook:  http://www.officeupdate.microsoft.com/2000/articles/out2ksecFileTypes.htm
 PCWorld:  http://www.pcworld.com/pcwtoday/article/0,1510,16721,00.html

<<< end of message >>>

        Thanks for the bandwidth, I know it's off topic but let's not forget that this is an email list and these current virus' are spreading among the un-informed.

        Best regards
        Bob C.

Bob Carner, EE, SysAdmin, and Network Liason, KG4GBU
Brooks Forest Products Center
Department of Wood Science and Forest Products
Virginia Polytechnic Institute and State University
rscarner at vt.edu (work)
rscarner at usit.net (home)

540 231-7453 (office)
540 231-8868 (fax)

Sponsored by the City of Tempe 

Listserver Submissions:  heath at listserv.tempe.gov
Listserver Subscription: listserv at listserv.tempe.gov - "subscribe heath 'name' 'call'"
Listserver Unsubscribe: listserv at listserv.tempe.gov - -"signoff heath"

More information about the Heath mailing list