New version of KAKWORM
Posted by
wanliker@a...
on 2000-08-16 21:25:14 UTC
The following is a quote from "Symantec AntiVirus Research Centre "
bill
<<
There is a new variant of WScript.Kakworm circulating, variant .B, Doug
Knowles from SARC USA has given us this quick reference detailing the main
differences between the original Kakworm and this variant. Both utilize a
known Microsoft Outlook Express security hole, Scriptlet.Typelib, so that
a viral file is created on the system without having to run any
attachment.
WScript.Kakworm.B WScript.Kakworm
1- Drops a file called day.hta 1- Drops a file called kak.hta
2- adds registry key: 2- adds registry key:
HKLM/Software/Microsoft/Windows/ HKLM/Software/Microsoft/Windows/
CurrentVersion/Run/cDays CurrentVersion/Run/cAgOu
3- Triggers message any time on the 3- Triggers message any time on
eleventh day of the month after the first day of the month after
4pm 5pm
4- Message text is "Days It was a 4- Message text is "Kagou-Anti-
day to be a days!" Kro$oft says not today!"
bill
<<
There is a new variant of WScript.Kakworm circulating, variant .B, Doug
Knowles from SARC USA has given us this quick reference detailing the main
differences between the original Kakworm and this variant. Both utilize a
known Microsoft Outlook Express security hole, Scriptlet.Typelib, so that
a viral file is created on the system without having to run any
attachment.
WScript.Kakworm.B WScript.Kakworm
1- Drops a file called day.hta 1- Drops a file called kak.hta
2- adds registry key: 2- adds registry key:
HKLM/Software/Microsoft/Windows/ HKLM/Software/Microsoft/Windows/
CurrentVersion/Run/cDays CurrentVersion/Run/cAgOu
3- Triggers message any time on the 3- Triggers message any time on
eleventh day of the month after the first day of the month after
4pm 5pm
4- Message text is "Days It was a 4- Message text is "Kagou-Anti-
day to be a days!" Kro$oft says not today!"
>>