LISTSERV - GAMBIA-L Archives - LISTSERV.ICORS.ORG

GAMBIA-L Archives

The Gambia and Related Issues Mailing List

GAMBIA-L@LISTSERV.ICORS.ORG

	LISTSERV Archives
	GAMBIA-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Forum View Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Virus Warning
From:	Alieu Bah <[log in to unmask]>
Reply To:	The Gambia and related-issues mailing list <[log in to unmask]>
Date:	Thu, 30 Mar 2000 12:05:24 GMT
Content-Type:	text/plain
Parts/Attachments:	text/plain (102 lines)

F-Secure Corporation, a leading provider of centrally-managed, widely
distributed security solutions, is warning computer users about two new
e-mail worms that are currently spreading rapidly in several locations
around the world. The Irok and Kak worms both spread via e-mail as
electronic chain letters, much like the infamous Melissa virus did exactly
one year ago. F-Secure Anti-Virus will protect users against these new
threats.

Technically, the Irok and Kak worms operate in very different ways, but both
spread via Microsoft Outlook e-mail and are very widespread right now.
The biggest difference to the end user is that Irok arrives in an
attachment called IROK.EXE while Kak arrives in a normal e-mail which
apparently has no attachment at all.

Both worms are only a threat to Microsoft Windows users and both worms only
spread further via the Microsoft Outlook e-mail application.

The Irok worm spreads as a 10001-byte sized program called IROK.EXE. It
works under Microsoft Windows 95, 98, NT and 2000. It replicates further via
e-mail if Microsoft Outlook is available. It does not work with Outlook
Express.

When IROK.EXE is executed, the worm modifies the system so that during next
time the machine is started, the worm will send an e-mail message to 60
e-mail addresses found in Outlook's address books. These addresses can be
addresses of individual people or group addresses (such as mailing lists).

The message that the worm spreads itself with looks as follows:

  From: (name of the infected user)
  To: (random e-mail address from address book)
  Subject: I thought you might like to see this.

  Text: I thought you might like this. I got it from paramount pictures
website. It's a startrek screen saver.

  Attachment: IROK.EXE

The virus also tries to locate the mIrc chat client and will attempt to
modify it to spread the virus further via chat channels, and it infects COM
and EXE program files found on the local hard drive.

Eventually, the virus will display a long message on the screen and will try
to overwrite files on the hard drive.

The Kak worm is written in Javascript. It works under English and French
versions of Windows 95/98; it does not work under Windows NT or Windows
2000. Kak replicates further via e-mail only if Outlook Express 5.0 is
installed - it does not work with normal Microsoft Outlook.

The worm uses a known security vulnerability in Outlook Express to execute
automatically when e-mail is viewed. Once the user receives an infected
email message, and opens or views the message in the preview pane, the worm
modifies the system in such a way that the next time the machine is started,
the standard e-mail signature of the user is replaced with a HTML file
infected by the virus.

As a result, every e-mail message after that will contain the worm and will
infect the recipient's machine as soon as it is opened in Outlook Express.

The Kak worm activates on the first day of each month if the machine is
restarted after 5 pm. At this time the virus will show this message:

    Kagou-Anit-Kro$oft say not today!

After this, the worm will shut down Windows, but no permanent damage is
done.

The Outlook Express security hole exploited by this worm can be closed by
disabling "Active Scripting" in Outlook Express Preferences. Microsoft
[NASDAQ: MSFT] has also done an update to fix this problem. The update has
been available since August 1999.

"It is disturbing to see that virus writers continue to harass innocent
bystanders with their creations," says Mikko Hypponen, Manager of Anti-Virus
Research at F-Secure Corporation. "The virus writers have absolutely nothing
to gain and everything to lose by writing these things.
Obviously they learnt nothing from what happened to the author of Melissa."

Mr. David L. Smith, the alleged author of the Melissa e-mail worm that went
around the world year ago (on March 28, 1999), has pleaded guilty to a
second-degree charge of computer theft in December 1999 in New Jersey
Superior Court. He faces a five to ten year prison term and up to a $150,000
fine.

Both Irok and Kak worms can be stopped with up-to-date anti-virus software.
F-Secure Corporation has added detection of these worms to the latest
version of F-Secure Anti-Virus.

Warn you!

Alieu
______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com

----------------------------------------------------------------------------

To unsubscribe/subscribe or view archives of postings, go to the Gambia-L
Web interface at: http://maelstrom.stjohns.edu/archives/gambia-l.html

----------------------------------------------------------------------------

ATOM RSS1 RSS2

LISTSERV.ICORS.ORG